def score(ip,flag,cookie): #get old flag if cookie != None: try: print cookie name,id = cookie.split(":") personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~pollit/pollit.html", personality) mainpg.open() mainpg.parse() getPollForm = mainpg.forms[1] getPollForm.fields['username'] = name getPollForm.fields['pollid'] = id resultPage = getPollForm.click(None) successPtr = resultPage.page.find("-1") print resultPage.page if successPtr != -1: oldFlag = resultPage.page[successPtr+3:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception (%s) getting flag" % (e)
def score(ip,flag,cookie): # get old flag retFlag = None if cookie != "": try: personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/Site/Petition.html") mainpg.open() mainpg = pybrowse.Browser("http://" + ip + "/Site//Petition_files/widget1_markup.html") mainpg.open() mainpg.parse() adminForm = mainpg.forms[0] adminForm.fields["comment"] = "" adminForm.fields["id"] = cookie resultingPage = adminForm.click( None ) resultingPage = resultingPage.doRedirects() successPtr = resultingPage.page.find("Your comment was:") if successPtr != -1: oldFlag = resultingPage.page[successPtr+18:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie): myPort = "4242" oldFlag = None # get old flag if cookie != None: artist_name, artist_pwd = cookie.split(":") try: personality = browserpersonality.getRandomPersonality() # 1. go to the main page mainpg = pybrowse.Browser("http://" + ip + "/Site/Bosses_and_artists.html") mainpg.open() # 2. login as an artist mainpg = pybrowse.Browser("http://" + ip + ":" + myPort + "/artists/login/") mainpg.open() mainpg.parse() adminForm = mainpg.forms[0] adminForm.fields["username"] = artist_name adminForm.fields["password"] = artist_pwd resultingPage = adminForm.click( None ) resultingPage = resultingPage.doRedirects( ) resultingPage.parse() successPtr = resultingPage.page.find("Confirmation number:") if successPtr != -1: oldFlag = resultingPage.page[successPtr + 21:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie): #get old flag if cookie != None: try: password, wwid = cookie.split(':') personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~register/register.html", personality) mainpg.open() mainpg.parse() reviewForm = mainpg.forms[1] reviewForm.fields["password"] = password reviewForm.fields["wwid"] = wwid resultingPage = reviewForm.click(None) resultingPage = resultingPage.doRedirects() successPtr = resultingPage.page.find("name=\"wwid\"") if successPtr != -1: oldFlag = resultingPage.page[successPtr+19:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie): # get old flag if cookie != None: try: personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/Site/Would_you.html") mainpg.open() mainpg = pybrowse.Browser("http://" + ip + "/Site//Would_you_files/widget1_markup.html") mainpg.open() mainpg.parse() qForm = mainpg.forms[0] qForm.fields["q1"] = random.choice(("yes", "no")) qForm.fields["q2"] = random.choice(("yes", "no")) qForm.fields["q3"] = random.choice(("yes", "no")) qForm.fields["q5"] = random.choice(("yes", "no")) qForm.fields["q6"] = random.choice(("yes", "no")) qForm.fields["q7"] = random.choice(("yes", "no")) qForm.fields["steal"] = flag qForm.fields["signature"] = cookie resultingPage = qForm.click(None) resultingPage = resultingPage.doRedirects( ) successPtr = resultingPage.page.find("choice was:") if successPtr != -1: print "FLAG:",resultingPage.page[successPtr+12:][:len(flag)] except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie): #get old flag if cookie != None: try: print cookie name, id = cookie.split(":") personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~pollit/pollit.html", personality) mainpg.open() mainpg.parse() getPollForm = mainpg.forms[1] getPollForm.fields['username'] = name getPollForm.fields['pollid'] = id resultPage = getPollForm.click(None) successPtr = resultPage.page.find("-1") print resultPage.page if successPtr != -1: oldFlag = resultPage.page[successPtr + 3:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception (%s) getting flag" % (e)
def score(ip,flag,cookie): #get old flag if cookie != None: try: name = cookie personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~feedback/cgi-bin/candidates.php", personality) mainpg.open() mainpg.parse() candidate = random.randint(0,4) feedbackForm = mainpg.forms[candidate] feedbackForm.fields['name'] = name feedbackForm.fields['comment'] = CtfUtil.getRandomString(5) + " " + CtfUtil.getRandomString(random.randint(4,9)) + random.choice(['?','.','!']) resultPage = feedbackForm.click(None) successPtr = resultPage.page.find("About") if successPtr != -1: oldFlag = resultPage.page[successPtr+9:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie): #get old flag if cookie != None: try: (uname, pwd) = cookie.split(':') personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~spamgen/cgi-bin/spamgen.py?action=read", personality, debug=0) mainpg.open() mainpg.parse() adminForm = mainpg.forms[0] adminForm.fields["uname"] = uname adminForm.fields["pwd"] = pwd resultingPage = adminForm.click(None) resultingPage = resultingPage.doRedirects( ) successPtr = resultingPage.page.find( "</h3>" ) if successPtr != -1: oldFlag = resultingPage.page[successPtr+6:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "Error got exception %s getting flag" % (e)
def getNotePage(ip,user,email, note): personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + ":10080/", personality) mainpg.open() mainpg.parse() noteForm = mainpg.forms[0] noteForm.fields['user'] = user noteForm.fields['email'] = email noteForm.fields['note'] = note return noteForm.click(None)
def score(ip,flag,cookie): #get old flag if cookie != None: try: name = cookie personality = browserpersonality.getRandomPersonality() resultPage = pybrowse.Browser("http://" + ip + ":8081/notes?username="******"["+name+":") if successPtr != -1: oldFlag = resultPage.page[successPtr+len(name)+2:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie): # get old flag oldFlag = "" if cookie != None: (myemail, mypassword) = cookie.split(':'); try: personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music.html") mainpg.open() # Logs in mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music_files/widget2_markup.html") mainpg.open() mainpg.parse() qForm = mainpg.forms[0] qForm.fields["email"] = myemail qForm.fields["password"] = mypassword resultingPage = qForm.click( None ) resultingPage = resultingPage.doRedirects( ) successPtr = resultingPage.page.find("successfully authenticated") if successPtr == -1: oldFlag = "" else: mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music.html") mainpg.open() mainpg.parse() resultingPage = pybrowse.Browser("http://" + ip + "/~copyright/cgi-bin/star.php", resultingPage.personality, resultingPage.referer, resultingPage.cookies) resultingPage.open() resultingPage.parse() successPtr = resultingPage.page.find("Hello ") if successPtr != -1: oldFlag = resultingPage.page[successPtr+6:][:len(flag)] else: oldFlag = "" print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception [%s] getting flag" % (e) sys.exit(1)
def score(ip,flag, cookie): global myHost myHost = ip + ":" + port username = "" password = "" # get old flag if cookie != None: try: if cookie.find(':') != -1: username, password = cookie.split(":") personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/") mainpg.open() mainpg.parse() if mainpg.containsLink("/Therapy/login.do") == None: print "ERROR: no login.do link is found on the front page" return resultPage = doLogin(username, password) # view user's private information resultPage = resultPage.click(resultPage.links[9]) resultPage.doRedirects() rawPage = resultPage.page successPtr = rawPage.find("addinfo") if successPtr >= 0: oldFlag = rawPage[successPtr + 21:][:len(flag)] print "FLAG:",oldFlag # logout resultPage.parse() resultPage = resultPage.click(resultPage.links[10]) resultPage.doRedirects() except Exception, e: print "ERROR: got exception when getting flag: %s" % e
def score(ip, flag, cookie): #get old flag if cookie != None: try: name = cookie personality = browserpersonality.getRandomPersonality() resultPage = pybrowse.Browser( "http://" + ip + ":8081/notes?username="******"[" + name + ":") if successPtr != -1: oldFlag = resultPage.page[successPtr + len(name) + 2:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: name,password = cookie.split(":") senderText = "<sender><user>"+name+"</user><password>"+password+"</password></sender>" codeText = "<code>set flag [store get flag]; results set $flag</code>" agentText = "<agent>\n" + senderText +"\n"+codeText+"\n</agent>" resultPage = postAgentText(ip,agentText) oldFlag = resultPage[:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def score(ip, flag, cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: name, password = cookie.split(":") senderText = "<sender><user>" + name + "</user><password>" + password + "</password></sender>" codeText = "<code>set flag [store get flag]; results set $flag</code>" agentText = "<agent>\n" + senderText + "\n" + codeText + "\n</agent>" resultPage = postAgentText(ip, agentText) oldFlag = resultPage[:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def score(ip,flag,cookie): #get old flag if cookie != None: try: cc = cookie personality = browserpersonality.getRandomPersonality() resultPage = pybrowse.Browser("http://" + ip + "/~support/"+cc+".php", personality) resultPage.open() resultPage.parse() successPtr = resultPage.page.find("(") if successPtr != -1: oldFlag = resultPage.page[successPtr+1:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie): global myHost myHost = ip + ":" + port username = "" password = "" # get old flag if cookie != None: try: if cookie.find(':') != -1: username, password = cookie.split(":") personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/") mainpg.open() mainpg.parse() if mainpg.containsLink("/Therapy/login.do") == None: print "ERROR: no login.do link is found on the front page" return resultPage = doLogin(username, password) # view user's private information resultPage = resultPage.click(resultPage.links[9]) resultPage.doRedirects() rawPage = resultPage.page successPtr = rawPage.find("addinfo") if successPtr >= 0: oldFlag = rawPage[successPtr + 21:][:len(flag)] print "FLAG:", oldFlag # logout resultPage.parse() resultPage = resultPage.click(resultPage.links[10]) resultPage.doRedirects() except Exception, e: print "ERROR: got exception when getting flag: %s" % e
def score(ip,flag,cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: first,last = cookie.split(":") getFlagUrl = ip+"/~museum/cgi-bin/museum_admin.pl?first="+first+"&last="+last+"&password=unbreakable" getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page oldFlag = rawPage[253:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def score(ip, flag, cookie): #get old flag if cookie != None: try: cc = cookie personality = browserpersonality.getRandomPersonality() resultPage = pybrowse.Browser( "http://" + ip + "/~support/" + cc + ".php", personality) resultPage.open() resultPage.parse() successPtr = resultPage.page.find("(") if successPtr != -1: oldFlag = resultPage.page[successPtr + 1:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: first, last = cookie.split(":") getFlagUrl = ip + "/~museum/cgi-bin/museum_admin.pl?first=" + first + "&last=" + last + "&password=unbreakable" getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page oldFlag = rawPage[253:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def doReturningLogin(ip, eaddr, caseid): url = "http://" + ip + "/~amends/cgi-bin/settlement.php" personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser(url, personality) mainpg.open() mainpg.parse() loginForm = mainpg.forms[0] loginForm.fields['email'] = eaddr loginForm.fields['caseid'] = caseid resultPage = loginForm.click(None) resultPage = resultPage.doRedirects() rawPage = resultPage.page successPattern = "Settlement Confirmation" successPtr = rawPage.find(successPattern) if successPtr < 0: print "ERROR: error in doReturningLogin" sys.exit(2) return resultPage
def doReturningLogin(ip,eaddr, caseid): url = "http://" + ip + "/~amends/cgi-bin/settlement.php" personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser(url, personality); mainpg.open() mainpg.parse() loginForm = mainpg.forms[0] loginForm.fields['email'] = eaddr loginForm.fields['caseid'] = caseid resultPage = loginForm.click(None) resultPage = resultPage.doRedirects() rawPage = resultPage.page successPattern = "Settlement Confirmation" successPtr = rawPage.find(successPattern) if successPtr < 0: print "ERROR: error in doReturningLogin" sys.exit(2) return resultPage
def score(ip, flag, cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: getFlagUrl = ip + "/~contribute/cgi-bin/history.py?name=" + cookie getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page successPattern = "address" successPtr = rawPage.find(successPattern) if successPtr >= 0: oldFlag = rawPage[successPtr + 8:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def score(ip,flag,cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: getFlagUrl = ip+"/~contribute/cgi-bin/history.py?name="+cookie getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page successPattern = "address" successPtr = rawPage.find(successPattern) if successPtr >= 0: oldFlag = rawPage[successPtr+8:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def score(ip,flag,cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: getFlagUrl = ip+"/~aqs/cgi-bin/guestbook.py?name="+cookie+"&command=lookup" getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page successPattern = cookie successPtr = rawPage.find(successPattern) if successPtr >= 0: successPtr += len(cookie) oldFlag = rawPage[successPtr+8:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e) return
def score(ip, flag, cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: getFlagUrl = ip + "/~acquire/cgi-bin/get.php?ip=" + cookie getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page successPattern = "entry was " successPtr = rawPage.find(successPattern) if successPtr < 0: print "ERROR: Failed to retrieve a flag!" else: oldFlag = rawPage[successPtr + 48:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e)
def score(ip,flag,cookie): personality = browserpersonality.getRandomPersonality() if cookie != None: try: getFlagUrl = ip+"/~acquire/cgi-bin/get.php?ip="+cookie getFlagPage = pybrowse.Browser("http://" + getFlagUrl) getFlagPage.open() rawPage = getFlagPage.page successPattern = "entry was " successPtr = rawPage.find(successPattern) if successPtr < 0: print "ERROR: Failed to retrieve a flag!" else: oldFlag = rawPage[successPtr+48:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception '%s' when getting flag" % (e)
def score(ip,flag,cookie): #get old flag if cookie != None: try: name,password = cookie.split(":") personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~diebald/cgi-bin/admin", personality) mainpg.open() mainpg.parse() getTaskForm = mainpg.forms[2] getTaskForm.fields['username'] = name getTaskForm.fields['password'] = password resultPage = getTaskForm.click(None) successPtr = resultPage.page.find("pre") if successPtr != -1: oldFlag = resultPage.page[successPtr+5:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def createAccount(ip,fname, lname, eaddr, files, price): url = "http://" + ip + "/Site/Make_amends_files/widget1_markup.html" personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser(url, personality) mainpg.open() mainpg.parse() userForm = mainpg.forms[0] userForm.fields['first'] = fname userForm.fields['last'] = lname userForm.fields['email'] = eaddr userForm.fields['comment'] = files userForm.fields['price'] = price resultPage = userForm.click(None) rawPage = resultPage.page successPattern = "Thank you for participating" successPtr = rawPage.find(successPattern) if successPtr < 0: print "ERROR: error creating account" sys.exit(2) return resultPage
def createAccount(ip, fname, lname, eaddr, files, price): url = "http://" + ip + "/Site/Make_amends_files/widget1_markup.html" personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser(url, personality) mainpg.open() mainpg.parse() userForm = mainpg.forms[0] userForm.fields['first'] = fname userForm.fields['last'] = lname userForm.fields['email'] = eaddr userForm.fields['comment'] = files userForm.fields['price'] = price resultPage = userForm.click(None) rawPage = resultPage.page successPattern = "Thank you for participating" successPtr = rawPage.find(successPattern) if successPtr < 0: print "ERROR: error creating account" sys.exit(2) return resultPage
def score(ip, flag, cookie): myPort = "4242" oldFlag = None # get old flag if cookie != None: artist_name, artist_pwd = cookie.split(":") try: personality = browserpersonality.getRandomPersonality() # 1. go to the main page mainpg = pybrowse.Browser("http://" + ip + "/Site/Bosses_and_artists.html") mainpg.open() # 2. login as an artist mainpg = pybrowse.Browser("http://" + ip + ":" + myPort + "/artists/login/") mainpg.open() mainpg.parse() adminForm = mainpg.forms[0] adminForm.fields["username"] = artist_name adminForm.fields["password"] = artist_pwd resultingPage = adminForm.click(None) resultingPage = resultingPage.doRedirects() resultingPage.parse() successPtr = resultingPage.page.find("Confirmation number:") if successPtr != -1: oldFlag = resultingPage.page[successPtr + 21:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie): #get old flag if cookie != None: try: name, password = cookie.split(":") personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser( "http://" + ip + "/~diebald/cgi-bin/admin", personality) mainpg.open() mainpg.parse() getTaskForm = mainpg.forms[2] getTaskForm.fields['username'] = name getTaskForm.fields['password'] = password resultPage = getTaskForm.click(None) successPtr = resultPage.page.find("pre") if successPtr != -1: oldFlag = resultPage.page[successPtr + 5:][:len(flag)] print "FLAG:", oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e)
qForm.fields["q7"] = random.choice(("yes", "no")) qForm.fields["steal"] = flag qForm.fields["signature"] = cookie resultingPage = qForm.click(None) resultingPage = resultingPage.doRedirects( ) successPtr = resultingPage.page.find("choice was:") if successPtr != -1: print "FLAG:",resultingPage.page[successPtr+12:][:len(flag)] except Exception, e: print "ERROR: got exception %s getting flag" % (e) # set the new flag try: personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/Site/Would_you.html") mainpg.open() mainpg = pybrowse.Browser("http://" + ip + "/Site//Would_you_files/widget1_markup.html") mainpg.open() mainpg.parse() qForm = mainpg.forms[0] qForm.fields["q1"] = random.choice(("yes", "no")) qForm.fields["q2"] = random.choice(("yes", "no")) qForm.fields["q3"] = random.choice(("yes", "no")) qForm.fields["q5"] = random.choice(("yes", "no")) qForm.fields["q6"] = random.choice(("yes", "no")) qForm.fields["q7"] = random.choice(("yes", "no")) cookie = CtfUtil.getRandomString(random.randint(3,10))
feedbackForm.fields['name'] = name feedbackForm.fields['comment'] = CtfUtil.getRandomString(5) + " " + CtfUtil.getRandomString(random.randint(4,9)) + random.choice(['?','.','!']) resultPage = feedbackForm.click(None) successPtr = resultPage.page.find("About") if successPtr != -1: oldFlag = resultPage.page[successPtr+9:][:len(flag)] print "FLAG:",oldFlag except Exception, e: print "ERROR: got exception %s getting flag" % (e) #set the new flag try: personality = browserpersonality.getRandomPersonality() mainpg = pybrowse.Browser("http://" + ip + "/~feedback/cgi-bin/candidates.php", personality) mainpg.open() mainpg.parse() candidate = random.randint(0,4) feedbackForm = mainpg.forms[candidate] name = CtfUtil.getRandomString(random.randint(6,8)) feedbackForm.fields['name'] = name feedbackForm.fields['comment'] = flag resultPage = feedbackForm.click(None) successPtr = resultPage.page.find("feedback so far") if successPtr == -1: