def score(ip,flag,cookie):
# get old flag
retFlag = None
if cookie != "":
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Petition.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Petition_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
adminForm = mainpg.forms[0]
adminForm.fields["comment"] = ""
adminForm.fields["id"] = cookie
resultingPage = adminForm.click( None )
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("Your comment was:")
if successPtr != -1:
oldFlag = resultingPage.page[successPtr+18:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
# get old flag
if cookie != None:
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Would_you.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Would_you_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
qForm = mainpg.forms[0]
qForm.fields["q1"] = random.choice(("yes", "no"))
qForm.fields["q2"] = random.choice(("yes", "no"))
qForm.fields["q3"] = random.choice(("yes", "no"))
qForm.fields["q5"] = random.choice(("yes", "no"))
qForm.fields["q6"] = random.choice(("yes", "no"))
qForm.fields["q7"] = random.choice(("yes", "no"))
qForm.fields["steal"] = flag
qForm.fields["signature"] = cookie
resultingPage = qForm.click(None)
resultingPage = resultingPage.doRedirects( )
successPtr = resultingPage.page.find("choice was:")
if successPtr != -1:
print "FLAG:",resultingPage.page[successPtr+12:][:len(flag)]
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
password, wwid = cookie.split(':')
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(
"http://" + ip + "/~register/register.html", personality)
mainpg.open()
mainpg.parse()
reviewForm = mainpg.forms[1]
reviewForm.fields["password"] = password
reviewForm.fields["wwid"] = wwid
resultingPage = reviewForm.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("name=\"wwid\"")
if successPtr != -1:
oldFlag = resultingPage.page[successPtr + 19:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
userName,password = cookie.split(":")
mainpage = pybrowse.Browser("http://" + ip + "/~estore/index.html")
mainpage.open()
mainpage.parse()
loginMainPage = login(mainpage, userName, password)
updatePage = loginMainPage.click("cgi-bin/update.php")
updatePage.parse()
updateForm = updatePage.forms[0]
updateForm.fields['username'] = userName
updateForm.fields['password'] = password
updateForm.fields['email'] = CtfUtil.getRandomEmail()
resultPage = updateForm.click(None)
successPtr = resultPage.page.find("address was:")
if(successPtr != -1):
oldFlag = resultPage.page[successPtr+13:][:len(flag)]
print "FLAG:",oldFlag
logout(loginMainPage)
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
print cookie
name, id = cookie.split(":")
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~pollit/pollit.html",
personality)
mainpg.open()
mainpg.parse()
getPollForm = mainpg.forms[1]
getPollForm.fields['username'] = name
getPollForm.fields['pollid'] = id
resultPage = getPollForm.click(None)
successPtr = resultPage.page.find("-1")
print resultPage.page
if successPtr != -1:
oldFlag = resultPage.page[successPtr + 3:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception (%s) getting flag" % (e)
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
(uname, pwd) = cookie.split(':')
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(
"http://" + ip + "/~spamgen/cgi-bin/spamgen.py?action=read",
personality,
debug=0)
mainpg.open()
mainpg.parse()
adminForm = mainpg.forms[0]
adminForm.fields["uname"] = uname
adminForm.fields["pwd"] = pwd
resultingPage = adminForm.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("</h3>")
if successPtr != -1:
oldFlag = resultingPage.page[successPtr + 6:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "Error got exception %s getting flag" % (e)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
name = cookie
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~feedback/cgi-bin/candidates.php", personality)
mainpg.open()
mainpg.parse()
candidate = random.randint(0,4)
feedbackForm = mainpg.forms[candidate]
feedbackForm.fields['name'] = name
feedbackForm.fields['comment'] = CtfUtil.getRandomString(5) + " " + CtfUtil.getRandomString(random.randint(4,9)) + random.choice(['?','.','!'])
resultPage = feedbackForm.click(None)
successPtr = resultPage.page.find("About")
if successPtr != -1:
oldFlag = resultPage.page[successPtr+9:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
# get old flag
oldFlag = ""
if cookie != None:
(myemail, mypassword) = cookie.split(':');
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music.html")
mainpg.open()
# Logs in
mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music_files/widget2_markup.html")
mainpg.open()
mainpg.parse()
qForm = mainpg.forms[0]
qForm.fields["email"] = myemail
qForm.fields["password"] = mypassword
resultingPage = qForm.click( None )
resultingPage = resultingPage.doRedirects( )
successPtr = resultingPage.page.find("successfully authenticated")
if successPtr == -1:
oldFlag = ""
else:
mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music.html")
mainpg.open()
mainpg.parse()
resultingPage = pybrowse.Browser("http://" + ip + "/~copyright/cgi-bin/star.php", resultingPage.personality, resultingPage.referer, resultingPage.cookies)
resultingPage.open()
resultingPage.parse()
successPtr = resultingPage.page.find("Hello ")
if successPtr != -1:
oldFlag = resultingPage.page[successPtr+6:][:len(flag)]
else:
oldFlag = ""
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception [%s] getting flag" % (e)
sys.exit(1)
def createComment(ip, first, last, private, comment):
mainpage = pybrowse.Browser("http://" + ip + "/feedback.html")
mainpage.open()
mainpage.parse()
guestbookForm = mainpage.forms[0]
guestbookForm.fields['first'] = first
guestbookForm.fields['last'] = last
guestbookForm.fields['private'] = private
guestbookForm.fields['comment'] = comment
return guestbookForm.click(None)
def getNotePage(ip,user,email, note):
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + ":10080/", personality)
mainpg.open()
mainpg.parse()
noteForm = mainpg.forms[0]
noteForm.fields['user'] = user
noteForm.fields['email'] = email
noteForm.fields['note'] = note
return noteForm.click(None)
def postAgentText(ip, agentText):
url = ip + "/~spamagent/spamagent.html"
mainpg = pybrowse.Browser("http://" + url)
mainpg.open()
mainpg = mainpg.doRedirects()
mainpg.parse()
form = mainpg.forms[0]
form.fields['script'] = agentText
resultPage = form.click(None).page
return resultPage
def score(ip, flag, cookie):
myPort = "4242"
oldFlag = None
# get old flag
if cookie != None:
artist_name, artist_pwd = cookie.split(":")
try:
personality = browserpersonality.getRandomPersonality()
# 1. go to the main page
mainpg = pybrowse.Browser("http://" + ip +
"/Site/Bosses_and_artists.html")
mainpg.open()
# 2. login as an artist
mainpg = pybrowse.Browser("http://" + ip + ":" + myPort +
"/artists/login/")
mainpg.open()
mainpg.parse()
adminForm = mainpg.forms[0]
adminForm.fields["username"] = artist_name
adminForm.fields["password"] = artist_pwd
resultingPage = adminForm.click(None)
resultingPage = resultingPage.doRedirects()
resultingPage.parse()
successPtr = resultingPage.page.find("Confirmation number:")
if successPtr != -1:
oldFlag = resultingPage.page[successPtr + 21:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def doLogin(user, passwd):
mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/login.do")
mainpg.open()
mainpg.parse()
loginForm = mainpg.forms[0]
loginForm.fields['username'] = user
loginForm.fields['password'] = passwd
resultPage = loginForm.click(None)
resultPage = resultPage.doRedirects()
resultPage.parse()
rawPage = resultPage.page
successPtr = rawPage.find("Logout")
if successPtr < 0:
print "ERROR: Error logging in"
sys.exit(2)
return resultPage
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
name = cookie
personality = browserpersonality.getRandomPersonality()
resultPage = pybrowse.Browser(
"http://" + ip + ":8081/notes?username="******"[" + name + ":")
if successPtr != -1:
oldFlag = resultPage.page[successPtr + len(name) +
2:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie):
global myHost
myHost = ip + ":" + port
username = ""
password = ""
# get old flag
if cookie != None:
try:
if cookie.find(':') != -1:
username, password = cookie.split(":")
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/")
mainpg.open()
mainpg.parse()
if mainpg.containsLink("/Therapy/login.do") == None:
print "ERROR: no login.do link is found on the front page"
return
resultPage = doLogin(username, password)
# view user's private information
resultPage = resultPage.click(resultPage.links[9])
resultPage.doRedirects()
rawPage = resultPage.page
successPtr = rawPage.find("addinfo")
if successPtr >= 0:
oldFlag = rawPage[successPtr + 21:][:len(flag)]
print "FLAG:", oldFlag
# logout
resultPage.parse()
resultPage = resultPage.click(resultPage.links[10])
resultPage.doRedirects()
except Exception, e:
print "ERROR: got exception when getting flag: %s" % e
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
cc = cookie
personality = browserpersonality.getRandomPersonality()
resultPage = pybrowse.Browser(
"http://" + ip + "/~support/" + cc + ".php", personality)
resultPage.open()
resultPage.parse()
successPtr = resultPage.page.find("(")
if successPtr != -1:
oldFlag = resultPage.page[successPtr + 1:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
first, last = cookie.split(":")
guestPage = pybrowse.Browser(
"http://" + ip + "/~guestbook/cgi-bin/guestbook.pl?user="******" " + last)
if (successPtr != -1):
oldFlag = guestPage.page[successPtr + len(first) + len(last) +
31:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def createAccount(name, passwd, role):
global myHost
mainpg = pybrowse.Browser("http://" + myHost +
"/Therapy/createuser.do?role=" + role)
mainpg.open()
mainpg.parse()
userform = mainpg.forms[0]
userform.fields['firstname'] = CtfUtil.getRandomString(
random.randint(4, 10))
userform.fields['lastname'] = CtfUtil.getRandomString(random.randint(
5, 10))
userform.fields['email'] = CtfUtil.getRandomEmail()
userform.fields['username'] = name
userform.fields['password'] = passwd
userform.fields['role'] = role
resultPage = userform.click("submit")
resultPage = resultPage.doRedirects()
return resultPage
def score(ip, flag, cookie):
personality = browserpersonality.getRandomPersonality()
if cookie != None:
try:
first, last = cookie.split(":")
getFlagUrl = ip + "/~museum/cgi-bin/museum_admin.pl?first=" + first + "&last=" + last + "&password=unbreakable"
getFlagPage = pybrowse.Browser("http://" + getFlagUrl)
getFlagPage.open()
rawPage = getFlagPage.page
oldFlag = rawPage[253:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
first,last = cookie.split(":")
contactPage = pybrowse.Browser("http://" + ip + "/contact.html")
contactPage.open()
contactPage.parse()
lookupForm = contactPage.forms[0]
lookupForm.fields['cboname'] = last
resultPage = lookupForm.click(None)
successPtr = resultPage.page.find(first)
if(successPtr != -1):
oldFlag = resultPage.page[successPtr+14:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie):
personality = browserpersonality.getRandomPersonality()
if cookie != None:
try:
getFlagUrl = ip + "/~contribute/cgi-bin/history.py?name=" + cookie
getFlagPage = pybrowse.Browser("http://" + getFlagUrl)
getFlagPage.open()
rawPage = getFlagPage.page
successPattern = "address"
successPtr = rawPage.find(successPattern)
if successPtr >= 0:
oldFlag = rawPage[successPtr + 8:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
def doReturningLogin(ip, eaddr, caseid):
url = "http://" + ip + "/~amends/cgi-bin/settlement.php"
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(url, personality)
mainpg.open()
mainpg.parse()
loginForm = mainpg.forms[0]
loginForm.fields['email'] = eaddr
loginForm.fields['caseid'] = caseid
resultPage = loginForm.click(None)
resultPage = resultPage.doRedirects()
rawPage = resultPage.page
successPattern = "Settlement Confirmation"
successPtr = rawPage.find(successPattern)
if successPtr < 0:
print "ERROR: error in doReturningLogin"
sys.exit(2)
return resultPage
def score(ip,flag,cookie):
personality = browserpersonality.getRandomPersonality()
if cookie != None:
try:
getFlagUrl = ip+"/~aqs/cgi-bin/guestbook.py?name="+cookie+"&command=lookup"
getFlagPage = pybrowse.Browser("http://" + getFlagUrl)
getFlagPage.open()
rawPage = getFlagPage.page
successPattern = cookie
successPtr = rawPage.find(successPattern)
if successPtr >= 0:
successPtr += len(cookie)
oldFlag = rawPage[successPtr+8:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
def score(ip, flag, cookie):
personality = browserpersonality.getRandomPersonality()
if cookie != None:
try:
getFlagUrl = ip + "/~acquire/cgi-bin/get.php?ip=" + cookie
getFlagPage = pybrowse.Browser("http://" + getFlagUrl)
getFlagPage.open()
rawPage = getFlagPage.page
successPattern = "entry was "
successPtr = rawPage.find(successPattern)
if successPtr < 0:
print "ERROR: Failed to retrieve a flag!"
else:
oldFlag = rawPage[successPtr + 48:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
def createAccount(ip, fname, lname, eaddr, files, price):
url = "http://" + ip + "/Site/Make_amends_files/widget1_markup.html"
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(url, personality)
mainpg.open()
mainpg.parse()
userForm = mainpg.forms[0]
userForm.fields['first'] = fname
userForm.fields['last'] = lname
userForm.fields['email'] = eaddr
userForm.fields['comment'] = files
userForm.fields['price'] = price
resultPage = userForm.click(None)
rawPage = resultPage.page
successPattern = "Thank you for participating"
successPtr = rawPage.find(successPattern)
if successPtr < 0:
print "ERROR: error creating account"
sys.exit(2)
return resultPage
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
name, password = cookie.split(":")
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(
"http://" + ip + "/~diebald/cgi-bin/admin", personality)
mainpg.open()
mainpg.parse()
getTaskForm = mainpg.forms[2]
getTaskForm.fields['username'] = name
getTaskForm.fields['password'] = password
resultPage = getTaskForm.click(None)
successPtr = resultPage.page.find("pre")
if successPtr != -1:
oldFlag = resultPage.page[successPtr + 5:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
qForm.fields["steal"] = flag
qForm.fields["signature"] = cookie
resultingPage = qForm.click(None)
resultingPage = resultingPage.doRedirects( )
successPtr = resultingPage.page.find("choice was:")
if successPtr != -1:
print "FLAG:",resultingPage.page[successPtr+12:][:len(flag)]
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
# set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Would_you.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Would_you_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
qForm = mainpg.forms[0]
qForm.fields["q1"] = random.choice(("yes", "no"))
qForm.fields["q2"] = random.choice(("yes", "no"))
qForm.fields["q3"] = random.choice(("yes", "no"))
qForm.fields["q5"] = random.choice(("yes", "no"))
qForm.fields["q6"] = random.choice(("yes", "no"))
qForm.fields["q7"] = random.choice(("yes", "no"))
cookie = CtfUtil.getRandomString(random.randint(3,10))
adminForm.fields["comment"] = ""
adminForm.fields["id"] = cookie
resultingPage = adminForm.click( None )
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("Your comment was:")
if successPtr != -1:
oldFlag = resultingPage.page[successPtr+18:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
# set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Petition.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Petition_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
myform = mainpg.forms[0]
myform.fields["first"] = CtfUtil.getRandomString(random.randint(4,10))
myform.fields["last"] = CtfUtil.getRandomString(random.randint(4,10))
myform.fields["email"] = CtfUtil.getRandomEmail()
myform.fields["comment"] = flag
myform.fields["id"] = ""
resultingPage = myform.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find( "Your ID is " )
if successPtr >= 0:
oldFlag = rawPage[successPtr + 8:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
#set new flag
try:
randomName = CtfUtil.getRandomString(random.randint(6, 8))
url = ip + "/~contribute/contribute.html"
mainpg = pybrowse.Browser("http://" + url)
mainpg.open()
mainpg = mainpg.doRedirects()
mainpg.parse()
form = mainpg.forms[0]
form.fields['name'] = randomName
form.fields['address'] = flag
form.fields['cc'] = str(random.randint(10000000, 99999999))
form.fields['contribution'] = str(random.randint(1, 9999))
resultPage = form.click(None).page
successPattern = "Your contribution id"
successPtr = resultPage.find(successPattern)
feedbackForm.fields['comment'] = CtfUtil.getRandomString(5) + " " + CtfUtil.getRandomString(random.randint(4,9)) + random.choice(['?','.','!'])
resultPage = feedbackForm.click(None)
successPtr = resultPage.page.find("About")
if successPtr != -1:
oldFlag = resultPage.page[successPtr+9:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~feedback/cgi-bin/candidates.php", personality)
mainpg.open()
mainpg.parse()
candidate = random.randint(0,4)
feedbackForm = mainpg.forms[candidate]
name = CtfUtil.getRandomString(random.randint(6,8))
feedbackForm.fields['name'] = name
feedbackForm.fields['comment'] = flag
resultPage = feedbackForm.click(None)
successPtr = resultPage.page.find("feedback so far")
if successPtr == -1:
print "ERROR: Could not set new flag"
