├── .gitignore
├── README.md
├── app
    ├── app.py
    ├── bot
    │   └── bot.py
    ├── challenges
    │   ├── csrf1
    │   │   ├── csrf1.py
    │   │   ├── static
    │   │   │   ├── css
    │   │   │   │   ├── bootstrap.min.css
    │   │   │   │   └── style.css
    │   │   │   └── js
    │   │   │   │   ├── bootstrap.min.js
    │   │   │   │   ├── jquery.min.js
    │   │   │   │   ├── main.js
    │   │   │   │   └── popper.js
    │   │   └── templates
    │   │   │   ├── board.html
    │   │   │   ├── changepw.html
    │   │   │   ├── login.html
    │   │   │   ├── register.html
    │   │   │   ├── view.html
    │   │   │   └── write.html
    │   ├── csrf2
    │   │   ├── csrf2.py
    │   │   ├── static
    │   │   │   ├── css
    │   │   │   │   ├── bootstrap.min.css
    │   │   │   │   └── style.css
    │   │   │   └── js
    │   │   │   │   ├── bootstrap.min.js
    │   │   │   │   ├── jquery.min.js
    │   │   │   │   ├── main.js
    │   │   │   │   └── popper.js
    │   │   └── templates
    │   │   │   ├── board.html
    │   │   │   ├── changepw.html
    │   │   │   ├── login.html
    │   │   │   ├── register.html
    │   │   │   ├── view.html
    │   │   │   └── write.html
    │   ├── xsleak
    │   │   ├── static
    │   │   │   ├── css
    │   │   │   │   ├── bootstrap.min.css
    │   │   │   │   └── style.css
    │   │   │   └── js
    │   │   │   │   ├── bootstrap.min.js
    │   │   │   │   ├── jquery.min.js
    │   │   │   │   ├── main.js
    │   │   │   │   └── popper.js
    │   │   ├── templates
    │   │   │   ├── board.html
    │   │   │   ├── login.html
    │   │   │   ├── register.html
    │   │   │   ├── view.html
    │   │   │   └── write.html
    │   │   └── xsleak.py
    │   ├── xss1
    │   │   ├── static
    │   │   │   ├── css
    │   │   │   │   ├── bootstrap.min.css
    │   │   │   │   └── style.css
    │   │   │   └── js
    │   │   │   │   ├── bootstrap.min.js
    │   │   │   │   ├── jquery.min.js
    │   │   │   │   ├── main.js
    │   │   │   │   └── popper.js
    │   │   ├── templates
    │   │   │   ├── board.html
    │   │   │   ├── login.html
    │   │   │   ├── register.html
    │   │   │   ├── view.html
    │   │   │   └── write.html
    │   │   └── xss1.py
    │   ├── xss2
    │   │   ├── static
    │   │   │   ├── css
    │   │   │   │   ├── bootstrap.min.css
    │   │   │   │   └── style.css
    │   │   │   └── js
    │   │   │   │   ├── bootstrap.min.js
    │   │   │   │   ├── jquery.min.js
    │   │   │   │   ├── main.js
    │   │   │   │   └── popper.js
    │   │   ├── templates
    │   │   │   ├── board.html
    │   │   │   ├── login.html
    │   │   │   ├── register.html
    │   │   │   ├── view.html
    │   │   │   └── write.html
    │   │   └── xss2.py
    │   └── xss3
    │   │   ├── static
    │   │       ├── css
    │   │       │   ├── bootstrap.min.css
    │   │       │   └── style.css
    │   │       └── js
    │   │       │   ├── bootstrap.min.js
    │   │       │   ├── jquery.min.js
    │   │       │   ├── main.js
    │   │       │   └── popper.js
    │   │   ├── templates
    │   │       ├── board.html
    │   │       ├── login.html
    │   │       ├── register.html
    │   │       ├── view.html
    │   │       └── write.html
    │   │   └── xss3.py
    ├── entrypoint.sh
    ├── flags.json
    ├── static
    │   ├── css
    │   │   ├── bootstrap.min.css
    │   │   └── style.css
    │   └── js
    │   │   ├── bootstrap.min.js
    │   │   ├── jquery.min.js
    │   │   ├── main.js
    │   │   └── popper.js
    ├── templates
    │   ├── board.html
    │   ├── login.html
    │   ├── main.html
    │   ├── ranking.html
    │   └── register.html
    └── users.json
├── app2
    ├── 000-default.conf
    ├── entrypoint.sh
    ├── html
    │   ├── dbconn.php
    │   ├── domclobbering.php
    │   ├── index.php
    │   ├── prototype_pollution.php
    │   ├── sqli1.php
    │   ├── sqli2.php
    │   └── sqli3.php
    └── ports.conf
├── app3
    ├── 000-default.conf
    ├── entrypoint.sh
    ├── html
    │   ├── index.php
    │   ├── lfi1.php
    │   ├── lfi2.php
    │   └── lfiflag.php
    └── ports.conf
├── app4
    ├── app.py
    └── entrypoint.sh
├── app5
    ├── app.py
    └── entrypoint.sh
├── docker-compose.yml
├── docker
    ├── flask
    │   └── Dockerfile
    ├── flask2
    │   ├── Dockerfile
    │   └── flags
    │   │   └── command_injection_flag.txt
    ├── flask3
    │   ├── Dockerfile
    │   └── flags
    │   │   └── ssti_flag.txt
    ├── mysql
    │   └── Dockerfile
    ├── php
    │   ├── Dockerfile
    │   └── flags
    │   │   ├── domclobbering_flag.txt
    │   │   ├── pp_flag.txt
    │   │   ├── sqli1_flag.txt
    │   │   └── sqli2_flag.txt
    └── php2
    │   ├── Dockerfile
    │   └── flags
    │       └── readflag.c
└── mysql
    └── init.sql


/.gitignore:
--------------------------------------------------------------------------------
1 | *core.*


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # web-ctf-edu-challs
 2 | 
 3 | ### challserver & xss1\~3, csrf1\~2, xsleak 
 4 | related directories : `./app/` , `./docker/flask/`
 5 | 
 6 | ### domclobbering, sqli1~3, prototype pollution
 7 | `./app2/` , `./docker/php/` , `./docker/mysql/` , `./mysql/`
 8 | 
 9 | ### lfi1~2 
10 | `./app3/`, `./docker/php2/`
11 | 
12 | ### command injection 
13 | `./app4/`, `./docker/flask2/`
14 | 
15 | ### ssti
16 | `./app5/`, `./docker/flask3/`


--------------------------------------------------------------------------------
/app/app.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests, json
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {}
 13 | def load_user():
 14 |     global ids
 15 |     if os.path.exists("users.json"):
 16 |         with open("users.json","r") as f:
 17 |             ids = json.loads(f.read())
 18 |         for i in ids.keys():
 19 |             ids[i]['solved'] = list(set(ids[i]['solved']))
 20 |     else:
 21 |         ids = {
 22 |             "arang":{
 23 |                 "password": "123123",
 24 |                 "solved": [],
 25 |                 "lastsolved":0
 26 |             }
 27 |         }
 28 | load_user()
 29 | 
 30 | 
 31 | challenges = [
 32 |     {
 33 |         "seq": 1,
 34 |         "challenge": "xss1 - default",
 35 |         "link": "http://arang_client:9001/"
 36 |     },
 37 |     {
 38 |         "seq": 2,
 39 |         "challenge": "xss2 - bypass",
 40 |         "link": "http://arang_client:9002/"
 41 |     },
 42 |     {
 43 |         "seq": 3,
 44 |         "challenge": "xss3 - read article",
 45 |         "link": "http://arang_client:9003/"
 46 |     },
 47 |     {
 48 |         "seq": 4,
 49 |         "challenge": "domclobbering",
 50 |         "link": "http://arang_client:9200/domclobbering.php"
 51 |     },
 52 |     {
 53 |         "seq": 5,
 54 |         "challenge": "csrf1 - change admin password1",
 55 |         "link": "http://arang_client:9004/"
 56 |     },
 57 |     {
 58 |         "seq": 6,
 59 |         "challenge": "csrf2 - change admin password2",
 60 |         "link": "http://arang_client:9005/"
 61 |     },
 62 |     {
 63 |         "seq": 7,
 64 |         "challenge": "xsleak - get secret value of admin",
 65 |         "link": "http://arang_client:9006/"
 66 |     },
 67 |     {
 68 |         "seq": 8,
 69 |         "challenge": "sqli1 - basic",
 70 |         "link": "http://arang_client:9200/sqli1.php"
 71 |     },
 72 |     {
 73 |         "seq": 9,
 74 |         "challenge": "sqli2 - bypass filtering",
 75 |         "link": "http://arang_client:9200/sqli2.php"
 76 |     },
 77 |     {
 78 |         "seq": 10,
 79 |         "challenge": "sqli3 - blind sqli + bypass filtering",
 80 |         "link": "http://arang_client:9200/sqli3.php"
 81 |     },
 82 |     {
 83 |         "seq": 11,
 84 |         "challenge": "lif1 - basic",
 85 |         "link": "http://arang_client:9201/lfi1.php"
 86 |     },
 87 |     {
 88 |         "seq": 12,
 89 |         "challenge": "lfi2 - get the shell",
 90 |         "link": "http://arang_client:9201/lfi2.php"
 91 |     },
 92 |     {
 93 |         "seq": 13,
 94 |         "challenge": "command injection - blind",
 95 |         "link": "http://arang_client:9301/"
 96 |     },
 97 |     {
 98 |         "seq": 14,
 99 |         "challenge": "ssti - get the shell",
100 |         "link": "http://arang_client:9302/"
101 |     },
102 |     {
103 |         "seq": 15,
104 |         "challenge": "prototype - eval js code",
105 |         "link": "http://arang_client:9200/prototype_pollution.php"
106 |     },
107 | 
108 | ]
109 | 
110 | def sessionCheck(loginCheck=False):   
111 |     if loginCheck:
112 |         if "isLogin" not in flask.session:
113 |             return False
114 |         else:
115 |             return True
116 | 
117 |     if "isLogin" in flask.session:
118 |         return True
119 |     
120 |     return False
121 | 
122 | 
123 | @app.route("/")
124 | def index():
125 |     if sessionCheck(loginCheck=True):
126 |         return flask.redirect(flask.url_for("main"))
127 | 
128 |     return flask.redirect(flask.url_for("login"))
129 | 
130 | @app.route("/main")
131 | def main():
132 |     global ids
133 |     if not sessionCheck(loginCheck=True):
134 |         return flask.redirect(flask.url_for("login"))
135 | 
136 |     load_user()
137 |     t=[]
138 |     for i in range(len(challenges)):
139 |         if i in ids[flask.session["userid"]]["solved"]:
140 |             tt = challenges[i]
141 |             tt["solved"] = True
142 |         else:
143 |             tt = challenges[i]
144 |             tt["solved"] = False
145 |         t.append(tt)
146 |     
147 |     return flask.render_template("main.html", c=t)
148 | 
149 | 
150 | @app.route("/ranking")
151 | def ranking():
152 |     load_user()
153 |     t = []
154 |     sorted_dict = dict(sorted(ids.items(), key=lambda item: (-len(item[1]["solved"]), item[1]["lastsolved"])))
155 |     print(sorted_dict)
156 |     for i in sorted_dict.keys():
157 |         if not sorted_dict[i]["solved"]:
158 |             continue
159 |         t.append({i:sorted_dict[i]})
160 |     print(t)
161 |     return flask.render_template("ranking.html", ids=t)
162 |     
163 | 
164 | @app.route("/login", methods=["GET","POST"])
165 | def login():
166 |     if flask.request.method == "GET":
167 |         if sessionCheck(loginCheck=True):
168 |             return flask.redirect(flask.url_for("main"))
169 |         
170 |         return flask.render_template("login.html", msg="false")
171 |     else:
172 |         if sessionCheck():
173 |             return flask.redirect(flask.url_for("main"))
174 |         
175 |         userid = flask.request.form["userid"]
176 |         userpw = flask.request.form["userpw"]
177 |         
178 |         if userid in ids:
179 |             if ids[userid]["password"] == hashlib.sha256(userpw.encode()).hexdigest():
180 |                 flask.session["userid"] = userid
181 |                 flask.session["isLogin"] = True
182 |                     
183 |                 resp = flask.make_response(flask.redirect(flask.url_for("main")))
184 |                 resp.set_cookie('userid', flask.session["userid"])
185 |                 return resp
186 |             else:
187 |                 return flask.render_template("login.html", msg="login fail")
188 |         else:
189 |             return flask.render_template("login.html", msg="login fail")
190 | 
191 | 
192 | @app.route("/register", methods=["GET","POST"])
193 | def register():
194 |     if flask.request.method == "GET":
195 |         if sessionCheck(loginCheck=True):
196 |             return flask.redirect(flask.url_for("main"))
197 |         
198 |         return flask.render_template("register.html", msg="false")
199 |     else:
200 |         if sessionCheck():
201 |             return flask.redirect(flask.url_for("main"))
202 | 
203 |         userid = flask.request.form["userid"] 
204 |         userpw = hashlib.sha256(flask.request.form["userpw"].encode()).hexdigest()
205 |     
206 |         if userid not in ids:
207 |             ids[userid] = {
208 |                 "password": userpw,
209 |                 "solved": [],
210 |                 "lastsolved": 0
211 |             }
212 |             with open("users.json", "w") as f:
213 |                 f.write(json.dumps(ids, indent=4))
214 |             return flask.render_template("login.html", msg="false")
215 |         else:
216 |             return flask.render_template("register.html", msg="already registered id")
217 | 
218 | @app.route("/logout")
219 | def logout():
220 |     flask.session.pop('isLogin', False)
221 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
222 |     resp.set_cookie('userid', expires=0)
223 |     return resp
224 | 
225 | @app.route("/checkflag", methods=["GET", "POST"])
226 | def report():
227 |     if flask.request.method == "GET":
228 |         if not sessionCheck(loginCheck=True):
229 |             return flask.redirect(flask.url_for("login"))
230 |         else:
231 |             return '''
232 |             <form method="POST" action="/checkflag">
233 |                 <input type="text" name="flag" placeholder="input flag..." style="width:25%; height: 7%;">
234 |                 <input type="submit" value="submit">
235 |             </form>
236 |             '''
237 |     elif flask.request.method == "POST":
238 |         if not sessionCheck(loginCheck=True):
239 |             return flask.redirect(flask.url_for("login"))
240 | 
241 |         flag = flask.request.form['flag']
242 |         with open("/app/flags.json", "r") as f:
243 |             flags = json.loads(f.read())
244 | 
245 |         if flag in list(flags.values()):
246 |             i = list(flags.values()).index(flag)
247 |             ids[flask.session["userid"]]["solved"].append(i)
248 |             ids[flask.session["userid"]]["lastsolved"] = time.time()
249 |             with open("users.json", "w") as f:
250 |                 f.write(json.dumps(ids, indent=4))
251 |             return "<script>alert('right! congratulation!!');location='/';</script>"
252 |         else:
253 |             return "<script>alert('wrong... try again');history.go(-1);</script>"
254 |         
255 | 
256 | if __name__ == "__main__":
257 |     try:
258 |         app.run(host="0.0.0.0", port=9091, debug=True)
259 |     except Exception as ex:
260 |         logging.info(str(ex))
261 |         pass
262 | 


--------------------------------------------------------------------------------
/app/bot/bot.py:
--------------------------------------------------------------------------------
  1 | #-*-coding: utf-8-*-
  2 | from selenium import webdriver
  3 | from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
  4 | from selenium.webdriver.support.ui import WebDriverWait
  5 | from selenium.webdriver.support import expected_conditions as EC
  6 | from selenium.webdriver.common.by import By
  7 | from selenium.webdriver.chrome.service import Service
  8 | from selenium.common.exceptions import TimeoutException
  9 | from selenium.webdriver.remote.remote_connection import LOGGER
 10 | from webdriver_manager.chrome import ChromeDriverManager
 11 | import flask
 12 | import traceback, os, time
 13 | 
 14 | app = flask.Flask(__name__)
 15 | app.secret_key = os.urandom(16)
 16 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 17 | 
 18 | ADMIN_ID = "admin"
 19 | ADMIN_PASS = os.getenv("admin_password")
 20 | 
 21 | server1_challs = {
 22 | 	"xss1": "9001",
 23 | 	"xss2": "9002",
 24 | 	"xss3": "9003",
 25 | 	"csrf1": "9004",
 26 | 	"csrf2": "9005",
 27 | 	"xsleak": "9006",
 28 | }
 29 | 
 30 | def interceptor(request):
 31 | 	pass
 32 | 
 33 | class Crawler:
 34 | 	def __init__(self):
 35 | 		options = webdriver.ChromeOptions()
 36 | 		options.add_argument('--headless')
 37 | 		options.add_argument('--no-sandbox')
 38 | 		options.add_experimental_option("excludeSwitches", ["enable-automation"])
 39 | 		options.add_experimental_option("useAutomationExtension", False)
 40 | 
 41 | 		self.driver = webdriver.Chrome(service=Service(ChromeDriverManager().install()), options=options)
 42 | 		self.driver.request_interceptor = interceptor
 43 | 		self.driver.implicitly_wait(3)
 44 | 		self.driver.execute_script("Object.defineProperty(navigator, 'webdriver', {get: () => undefined})")
 45 | 		self.driver.execute_cdp_cmd('Page.addScriptToEvaluateOnNewDocument', {'source': 'navigator.'})
 46 | 		self.driver.set_page_load_timeout(3)
 47 | 
 48 | 	def req(self, url):
 49 | 		try:
 50 | 			print(f"[+] doing crawler req {url}")
 51 | 			self.driver.get(url)
 52 | 		except:
 53 | 			print(f"[x] crawler driver req fail - {url}")
 54 | 			print(traceback.format_exc())
 55 | 			return False
 56 | 
 57 | 		return self.driver
 58 | 
 59 | def doCrawl_server1(chal, url):
 60 | 	crawler = Crawler()
 61 | 	driver = crawler.driver
 62 | 	try:
 63 | 		crawler.req(f'http://arang_client:{server1_challs[chal]}/login')
 64 | 
 65 | 		driver.find_element(By.ID,"userid").send_keys(ADMIN_ID)
 66 | 		driver.find_element(By.ID,"userpw").send_keys(ADMIN_PASS)
 67 | 		driver.find_element(By.ID,"submit-login").click()
 68 | 		
 69 | 		time.sleep(1)
 70 | 
 71 | 		if crawler.req(url):
 72 | 			time.sleep(2)
 73 | 		
 74 | 		driver.quit()
 75 | 	except:
 76 | 		driver.quit()
 77 | 		print(f"[x] error...")
 78 | 		print(traceback.format_exc())
 79 | 
 80 | def doCrawl_server2(url):
 81 | 	crawler = Crawler()
 82 | 	driver = crawler.driver
 83 | 	try:
 84 | 		if crawler.req(url):
 85 | 			time.sleep(10)
 86 | 		
 87 | 		driver.quit()
 88 | 	except:
 89 | 		driver.quit()
 90 | 		print(f"[x] error...")
 91 | 		print(traceback.format_exc())
 92 | 
 93 | 
 94 | @app.route("/run", methods=["POST"])
 95 | def run():
 96 | 	url = flask.request.form['url']
 97 | 	if 'chal' in flask.request.form:
 98 | 		chal = flask.request.form['chal']
 99 | 		print(f"[+] bot run arang_client:{chal} - {url}")
100 | 		doCrawl_server1(chal, url)
101 | 	else:
102 | 		print(url)
103 | 		doCrawl_server2(url)
104 | 
105 | 	return "<script>history.go(-1);</script>"
106 | 		
107 | 
108 | if __name__ == "__main__":
109 | 	try:
110 | 		app.run(host="0.0.0.0", port=9000, debug=True)
111 | 	except Exception as ex:
112 | 		logging.info(str(ex))
113 | 		pass


--------------------------------------------------------------------------------
/app/challenges/csrf1/csrf1.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests, socket
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {
 13 |     "admin":os.getenv("admin_password")
 14 | }
 15 | 
 16 | articles = [{
 17 |     "seq":0,
 18 |     "subject":"flag is here!",
 19 |     "author":"admin",
 20 |     "content": os.getenv("csrf1_flag")
 21 | }]
 22 | 
 23 | def sessionCheck(loginCheck=False):   
 24 |     if loginCheck:
 25 |         if "isLogin" not in flask.session:
 26 |             return False
 27 |         else:
 28 |             return True
 29 | 
 30 |     if "isLogin" in flask.session:
 31 |         return True
 32 |     
 33 |     return False
 34 | 
 35 | def xsscheck(content):
 36 |     content = content.lower()
 37 |     vulns = ["javascript", "frame", "object", "on", "data", "embed", "&#", "base","\\u","alert","fetch","XMLHttpRequest","eval","constructor"]
 38 |     vulns += list("'\"")
 39 |     for char in vulns:
 40 |         if char in content:
 41 |             return True
 42 | 
 43 |     return False
 44 | 
 45 | 
 46 | @app.route("/")
 47 | def index():
 48 |     if sessionCheck(loginCheck=True):
 49 |         return flask.redirect(flask.url_for("board"))
 50 | 
 51 |     return flask.redirect(flask.url_for("login"))
 52 | 
 53 | 
 54 | 
 55 | @app.route("/login", methods=["GET","POST"])
 56 | def login():
 57 |     if flask.request.method == "GET":
 58 |         if sessionCheck(loginCheck=True):
 59 |             return flask.redirect(flask.url_for("board"))
 60 |         
 61 |         return flask.render_template("login.html", msg="false")
 62 |     else:
 63 |         if sessionCheck():
 64 |             return flask.redirect(flask.url_for("board"))
 65 |         
 66 |         userid = flask.request.form["userid"]
 67 |         userpw = flask.request.form["userpw"]
 68 |         
 69 |         if userid in ids:
 70 |             if ids[userid] == userpw or (userid=="admin" and userpw==os.getenv("admin_password")):
 71 |                 flask.session["userid"] = userid
 72 |                 flask.session["isLogin"] = True
 73 |                     
 74 |                 resp = flask.make_response(flask.redirect(flask.url_for("board")))
 75 |                 resp.set_cookie('userid', flask.session["userid"])
 76 |                 return resp
 77 |             else:
 78 |                 return flask.render_template("login.html", msg="login fail")
 79 |         else:
 80 |             return flask.render_template("login.html", msg="login fail")
 81 | 
 82 | 
 83 | @app.route("/register", methods=["GET","POST"])
 84 | def register():
 85 |     if flask.request.method == "GET":
 86 |         if sessionCheck(loginCheck=True):
 87 |             return flask.redirect(flask.url_for("board"))
 88 |         
 89 |         return flask.render_template("register.html", msg="false")
 90 |     else:
 91 |         if sessionCheck():
 92 |             return flask.redirect(flask.url_for("board"))
 93 | 
 94 |         userid = flask.request.form["userid"] 
 95 |         userpw = flask.request.form["userpw"]
 96 |         
 97 |         if userid not in ids:
 98 |             ids[userid] = userpw
 99 |             return flask.render_template("login.html", msg="false")
100 |         else:
101 |             return flask.render_template("register.html", msg="already registered id")
102 | 
103 | @app.route("/changepw", methods=["GET"])
104 | def changepw():
105 |     if "userid" not in flask.request.args or "userpw" not in flask.request.args:
106 |         return flask.render_template("changepw.html", msg="false")
107 |     else:
108 |         userid = flask.request.args["userid"]        
109 |         userpw = flask.request.args["userpw"]
110 | 
111 |         if userid == "admin":
112 |             if flask.request.remote_addr != socket.gethostbyname("arang_client"):
113 |                 return flask.render_template("changepw.html", msg="admin password is only changed at internal network")
114 |         
115 |         if userid in ids:
116 |             ids[userid] = userpw
117 |             return flask.redirect(flask.url_for("login"))
118 |         else:
119 |             return flask.render_template("changepw.html", msg="user doesn't exist")
120 | 
121 | 
122 | 
123 | @app.route("/logout")
124 | def logout():
125 |     flask.session.pop('isLogin', False)
126 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
127 |     resp.set_cookie('userid', expires=0)
128 |     return resp
129 | 
130 | 
131 | @app.route("/board", methods=["GET"])
132 | def board():
133 |     if not sessionCheck(loginCheck=True):
134 |         return flask.redirect(flask.url_for("login"))
135 |     results = []
136 |     for i in articles:
137 |         if i["author"] == flask.session["userid"] or flask.session["userid"] == "admin" or i["author"] == "admin":
138 |             results.append(i)
139 |     return flask.render_template("board.html", articles=results)
140 | 
141 | 
142 | @app.route("/board/<seq>")
143 | def viewboard(seq):
144 |     if not sessionCheck(loginCheck=True):
145 |         return flask.redirect(flask.url_for("login"))
146 | 
147 |     article = articles[int(seq)]
148 |     if article["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
149 |         return flask.render_template("view.html", articles=article)
150 |     else:
151 |         return "<script>alert('This is not your article');location.replace('/');</script>"
152 | 
153 | @app.route("/write", methods=["GET", "POST"])
154 | def write():
155 |     if not sessionCheck(loginCheck=True):
156 |         return flask.redirect(flask.url_for("login"))
157 | 
158 |     if flask.request.method == "GET":
159 |         return flask.render_template("write.html", loginid=flask.session["userid"])
160 | 
161 |     elif flask.request.method == "POST":
162 |         subject = flask.request.form["subject"]
163 |         author = flask.request.form["author"]
164 |         content = flask.request.form["content"]
165 | 
166 |         if not xsscheck(content):
167 |             # substitute markdown image refference to html image tag
168 |             content = re.sub(r"!\[(.*?)\]\((.*?)\)",r'<img src="\2" id="\1">',content.replace('"',''))
169 | 
170 |             req = {
171 |                 'seq':len(articles),
172 |                 'subject':subject,
173 |                 'author':flask.session['userid'],
174 |                 'content':content,
175 |             }
176 | 
177 |             articles.append(req)
178 | 
179 |             return flask.redirect(flask.url_for("board"))
180 |         else:
181 |             return '<script>alert("no hack");history.go(-1);</script>'
182 | 
183 | 
184 | @app.route("/report", methods=["GET", "POST"])
185 | def report():
186 |     if flask.request.method == "GET":
187 |         return '''
188 |         <form method="POST" action="/report">
189 |             <input type="text" name="url" placeholder="input url..." style="width:25%; height: 7%;">
190 |             <input type="submit" value="submit">
191 |         </form>
192 |         '''
193 |     elif flask.request.method == "POST":
194 |         url = flask.request.form['url']
195 |         requests.post(f"http://arang_client:9000/run", data=f"url={url}&chal=csrf1", headers={"Content-Type":"application/x-www-form-urlencoded", "Content-Length":"1"})
196 |         return "<script>history.go(-1);</script>"
197 | 
198 | 
199 | if __name__ == "__main__":
200 |     try:
201 |         app.run(host="0.0.0.0", port=9004, debug=True)
202 |     except Exception as ex:
203 |         logging.info(str(ex))
204 |         pass
205 | 


--------------------------------------------------------------------------------
/app/challenges/csrf1/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/challenges/csrf1/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-CSRF1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-CSRF1</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in articles %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |         	<a href='#' onClick='location.replace("/changepw");' class="btn btn-danger">비밀번호 변경</a>
51 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>            
52 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
53 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
54 |         </div>
55 |     	</center>
56 |     </form>
57 | </div>
58 | 			</div>
59 | 		</div>
60 | 	</section>
61 | 
62 | 	<script src="/static/js/jquery.min.js"></script>
63 |   <script src="/static/js/popper.js"></script>
64 |   <script src="/static/js/bootstrap.min.js"></script>
65 |   <script src="/static/js/main.js"></script>
66 | 
67 | 	</body>
68 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf1/templates/changepw.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF CHANGEPW-CSRF1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF CHANGEPW-CSRF1</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Change Password</h3>
35 | 				<form id="form1" method="GET" action="/changepw" class="login-form">
36 | 							<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Change Password</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf1/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN-CSRF1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN-CSRF1</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf1/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER-CSRF1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER-CSRF1</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf1/templates/view.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-CSRF1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 |   </head>
14 | 	<body>
15 | 	<section class="ftco-section">
16 | 		
17 | 		<div class="container" style="max-width: 100%;">
18 | 			<div class="row justify-content-center">
19 | 				<div class="col-md-6 text-center mb-5" >
20 | 					<h2 class="heading-section">Mini CTF BOARD-CSRF1</h2>
21 | 				</div>
22 | 			</div>
23 | 			
24 | 			 <div class="container" class="row justify-content-center">
25 |             <hr/>
26 |             <div class="col-md-6 text-center mb-5" style="max-width: 100%;">
27 |                 <div>
28 |                     <table class="table table-condensed">
29 |                         <thead>
30 |                             <tr align="left">
31 |                                 <th width="15%">제목</th>
32 |                                 <th width="85%">{{articles['subject']}}</th>
33 |                             </tr>
34 |                         </thead>
35 |                         <tbody>
36 |                             <tr align="left">
37 |                                 <td>글쓴이
38 |                                 </td>
39 |                                 <td>
40 |                                 {{articles['author']}}
41 |                                 </td>
42 |                             </tr>
43 |                             <tr>
44 |                                 <td colspan="2" style="text-align: left;">
45 |                                     <!-- xss here! -->
46 |                                     <p>{{articles['content']|safe}}</p>
47 |                        
48 |                                 </td>
49 |                             </tr>
50 |                         </tbody>
51 |                     </table>
52 | 
53 |                     <table class="table table-condensed">
54 |                         <thead>
55 |                             <tr>
56 |                                 <td>
57 |                                     <span style='float:right'>
58 |                                         <button type="button" id="list" class="btn btn-default" onclick="location.replace('/board');">목록</button>
59 |                                         <button type="button" id="write" class="btn btn-default" onclick="location.replace('/write');">글쓰기</button>
60 |                                     </span>
61 |                                 </td>
62 |                             </tr>
63 |                         </thead>
64 |                     </table>
65 | 								</div>
66 |             </div>
67 |             <hr/>
68 |           </div>
69 |         </div>    
70 | 		</div>
71 | 		
72 | 	</section>
73 | 
74 | 	<script src="/static/js/jquery.min.js"></script>
75 |   <script src="/static/js/popper.js"></script>
76 |   <script src="/static/js/bootstrap.min.js"></script>
77 |   <script src="/static/js/main.js"></script>
78 | 
79 | 	</body>
80 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf1/templates/write.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-CSRF1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_cancel(){
15 | 			location.replace(`/board`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-CSRF1</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 | 				 <form id="writeForm" name="writeForm" method="post" enctype="multipart/form-data">
30 | 				        <div>
31 | 				            <h2 class="text-center mb-4">글쓰기</h2>
32 | 				            <div>
33 | 				                <div class="mb-3">
34 | 				                  <label class="form-label">제목</label>
35 | 				                  <input class="form-control" type="text" id="subject" name="subject">
36 | 				                </div>
37 | 				                <div class="mb-3">
38 | 				                  <label class="form-label">작성자</label>
39 | 				                  <input class="form-control" type="text" id="author" name="author" value="{{loginid}}" readonly>
40 | 				                </div>
41 | 				                <div class="mb-3">
42 | 				                  <label class="form-label">내용</label>
43 | 				                  <textarea class="form-control" rows="10" cols="10" id="content" name="content"></textarea>
44 | 				                </div>
45 | 				                <div>
46 | 				                	<center>
47 | 				                    <input class="btn btn-success btn-lg" type="submit" value="글쓰기">
48 | 				              			<input class="btn btn-info btn-lg" onClick='fn_cancel()' value="목록">
49 | 				              		</center>
50 | 				                </div>
51 | 
52 | 				              
53 | 				            </div>
54 | 				        </div>
55 | 				    </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf2/csrf2.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests, binascii, socket
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {
 13 |     "admin":os.getenv("admin_password")
 14 | }
 15 | 
 16 | articles = [{
 17 |     "seq":0,
 18 |     "subject":"flag is here!",
 19 |     "author":"admin",
 20 |     "content": os.getenv("csrf2_flag")
 21 | }]
 22 | 
 23 | def sessionCheck(loginCheck=False):   
 24 |     if loginCheck:
 25 |         if "isLogin" not in flask.session:
 26 |             return False
 27 |         else:
 28 |             return True
 29 | 
 30 |     if "isLogin" in flask.session:
 31 |         return True
 32 |     
 33 |     return False
 34 | 
 35 | def xsscheck(content):
 36 |     content = content.lower()
 37 |     vulns = ["javascript", "frame", "object", "on", "data", "base","\\u", "embed", "&#", "alert","fetch","XMLHttpRequest","eval","constructor"]
 38 |     vulns += list("'\"")
 39 |     for char in vulns:
 40 |         if char in content:
 41 |             return True
 42 | 
 43 |     return False
 44 | 
 45 | 
 46 | @app.route("/")
 47 | def index():
 48 |     if sessionCheck(loginCheck=True):
 49 |         return flask.redirect(flask.url_for("board"))
 50 | 
 51 |     return flask.redirect(flask.url_for("login"))
 52 | 
 53 | 
 54 | 
 55 | @app.route("/login", methods=["GET","POST"])
 56 | def login():
 57 |     if flask.request.method == "GET":
 58 |         if sessionCheck(loginCheck=True):
 59 |             return flask.redirect(flask.url_for("board"))
 60 |         
 61 |         return flask.render_template("login.html", msg="false")
 62 |     else:
 63 |         if sessionCheck():
 64 |             return flask.redirect(flask.url_for("board"))
 65 |         
 66 |         userid = flask.request.form["userid"]
 67 |         userpw = flask.request.form["userpw"]
 68 |         
 69 |         if userid in ids:
 70 |             if ids[userid] == userpw or (userid=="admin" and userpw==os.getenv("admin_password")):
 71 |                 flask.session["userid"] = userid
 72 |                 flask.session["isLogin"] = True
 73 |                     
 74 |                 resp = flask.make_response(flask.redirect(flask.url_for("board")))
 75 |                 resp.set_cookie('userid', flask.session["userid"])
 76 |                 return resp
 77 |             else:
 78 |                 return flask.render_template("login.html", msg="login fail")
 79 |         else:
 80 |             return flask.render_template("login.html", msg="login fail")
 81 | 
 82 | 
 83 | @app.route("/register", methods=["GET","POST"])
 84 | def register():
 85 |     if flask.request.method == "GET":
 86 |         if sessionCheck(loginCheck=True):
 87 |             return flask.redirect(flask.url_for("board"))
 88 |         
 89 |         return flask.render_template("register.html", msg="false")
 90 |     else:
 91 |         if sessionCheck():
 92 |             return flask.redirect(flask.url_for("board"))
 93 | 
 94 |         userid = flask.request.form["userid"] 
 95 |         userpw = flask.request.form["userpw"]
 96 |         
 97 |         if userid not in ids:
 98 |             ids[userid] = userpw
 99 |             return flask.render_template("login.html", msg="false")
100 |         else:
101 |             return flask.render_template("register.html", msg="already registered id")
102 | 
103 | @app.route("/changepw", methods=["GET"])
104 | def changepw():
105 |     if "userid" not in flask.request.args or "userpw" not in flask.request.args:
106 |         flask.session["csrf_token"] = binascii.hexlify(os.urandom(16)).decode()
107 |         return flask.render_template("changepw.html", msg="false", csrf_token=flask.session["csrf_token"])
108 |     else:
109 |         if "csrf_token" not in flask.request.args:
110 |             return flask.render_template("changepw.html", msg="please input csrf token")
111 | 
112 |         
113 |         if flask.request.args["csrf_token"] != flask.session["csrf_token"]:
114 |             return flask.render_template("changepw.html", msg="csrf token not match!")
115 | 
116 |         userid = flask.request.args["userid"]        
117 |         userpw = flask.request.args["userpw"]
118 |                 
119 |         if userid == "admin":
120 |             if flask.request.remote_addr != socket.gethostbyname("arang_client"):
121 |                 return flask.render_template("changepw.html", msg="admin password is only changed at internal network")
122 |         
123 |         if userid in ids:
124 |             ids[userid] = userpw
125 |             return flask.redirect(flask.url_for("login"))
126 |         else:
127 |             return flask.render_template("changepw.html", msg="user doesn't exist")
128 | 
129 | 
130 | 
131 | @app.route("/logout")
132 | def logout():
133 |     flask.session.pop('isLogin', False)
134 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
135 |     resp.set_cookie('userid', expires=0)
136 |     return resp
137 | 
138 |     
139 | @app.route("/board", methods=["GET"])
140 | def board():
141 |     if not sessionCheck(loginCheck=True):
142 |         return flask.redirect(flask.url_for("login"))
143 |     results = []
144 |     for i in articles:
145 |         if i["author"] == flask.session["userid"] or flask.session["userid"] == "admin" or i["author"] == "admin":
146 |             results.append(i)
147 |     return flask.render_template("board.html", articles=results)
148 | 
149 | 
150 | @app.route("/board/<seq>")
151 | def viewboard(seq):
152 |     if not sessionCheck(loginCheck=True):
153 |         return flask.redirect(flask.url_for("login"))
154 | 
155 |     article = articles[int(seq)]
156 |     if article["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
157 |         return flask.render_template("view.html", articles=article)
158 |     else:
159 |         return "<script>alert('This is not your article');location.replace('/');</script>"
160 | 
161 | @app.route("/write", methods=["GET", "POST"])
162 | def write():
163 |     if not sessionCheck(loginCheck=True):
164 |         return flask.redirect(flask.url_for("login"))
165 | 
166 |     if flask.request.method == "GET":
167 |         return flask.render_template("write.html", loginid=flask.session["userid"])
168 | 
169 |     elif flask.request.method == "POST":
170 |         subject = flask.request.form["subject"]
171 |         author = flask.request.form["author"]
172 |         content = flask.request.form["content"]
173 | 
174 |         if not xsscheck(content):
175 |             # substitute markdown image refference to html image tag
176 |             content = re.sub(r"!\[(.*?)\]\((.*?)\)",r'<img src="\2" id="\1">',content.replace('"',''))
177 | 
178 |             req = {
179 |                 'seq':len(articles),
180 |                 'subject':subject,
181 |                 'author':flask.session['userid'],
182 |                 'content':content,
183 |             }
184 | 
185 |             articles.append(req)
186 | 
187 |             return flask.redirect(flask.url_for("board"))
188 |         else:
189 |             return '<script>alert("no hack");history.go(-1);</script>'
190 | 
191 | 
192 | @app.route("/report", methods=["GET", "POST"])
193 | def report():
194 |     if flask.request.method == "GET":
195 |         return '''
196 |         <form method="POST" action="/report">
197 |             <input type="text" name="url" placeholder="input url..." style="width:25%; height: 7%;">
198 |             <input type="submit" value="submit">
199 |         </form>
200 |         '''
201 |     elif flask.request.method == "POST":
202 |         url = flask.request.form['url']
203 |         requests.post(f"http://arang_client:9000/run", data=f"url={url}&chal=csrf2", headers={"Content-Type":"application/x-www-form-urlencoded", "Content-Length":"1"})
204 |         return "<script>history.go(-1);</script>"
205 | 
206 | 
207 | if __name__ == "__main__":
208 |     try:
209 |         app.run(host="0.0.0.0", port=9005, debug=True)
210 |     except Exception as ex:
211 |         logging.info(str(ex))
212 |         pass
213 | 


--------------------------------------------------------------------------------
/app/challenges/csrf2/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/challenges/csrf2/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-CSRF2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-CSRF2</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in articles %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |         	<a href='#' onClick='location.replace("/changepw");' class="btn btn-danger">비밀번호 변경</a>
51 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>            
52 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
53 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
54 |         </div>
55 |     	</center>
56 |     </form>
57 | </div>
58 | 			</div>
59 | 		</div>
60 | 	</section>
61 | 
62 | 	<script src="/static/js/jquery.min.js"></script>
63 |   <script src="/static/js/popper.js"></script>
64 |   <script src="/static/js/bootstrap.min.js"></script>
65 |   <script src="/static/js/main.js"></script>
66 | 
67 | 	</body>
68 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf2/templates/changepw.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF CHANGEPW-CSRF2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF CHANGEPW-CSRF2</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Change Password</h3>
35 | 				<form id="form1" method="GET" action="/changepw" class="login-form">
36 | 							<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Change Password</button>
44 | 	            </div>
45 | 	            <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
46 | 	          </form>
47 | 	        </div>
48 | 				</div>
49 | 			</div>
50 | 		</div>
51 | 	</section>
52 | 
53 | 	<script src="/static/js/jquery.min.js"></script>
54 |   <script src="/static/js/popper.js"></script>
55 |   <script src="/static/js/bootstrap.min.js"></script>
56 |   <script src="/static/js/main.js"></script>
57 | 
58 | 	</body>
59 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf2/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN-CSRF2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN-CSRF2</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf2/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER-CSRF2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER-CSRF2</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf2/templates/view.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-CSRF2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 |   </head>
14 | 	<body>
15 | 	<section class="ftco-section">
16 | 		
17 | 		<div class="container" style="max-width: 100%;">
18 | 			<div class="row justify-content-center">
19 | 				<div class="col-md-6 text-center mb-5" >
20 | 					<h2 class="heading-section">Mini CTF BOARD-CSRF2</h2>
21 | 				</div>
22 | 			</div>
23 | 			
24 | 			 <div class="container" class="row justify-content-center">
25 |             <hr/>
26 |             <div class="col-md-6 text-center mb-5" style="max-width: 100%;">
27 |                 <div>
28 |                     <table class="table table-condensed">
29 |                         <thead>
30 |                             <tr align="left">
31 |                                 <th width="15%">제목</th>
32 |                                 <th width="85%">{{articles['subject']}}</th>
33 |                             </tr>
34 |                         </thead>
35 |                         <tbody>
36 |                             <tr align="left">
37 |                                 <td>글쓴이
38 |                                 </td>
39 |                                 <td>
40 |                                 {{articles['author']}}
41 |                                 </td>
42 |                             </tr>
43 |                             <tr>
44 |                                 <td colspan="2" style="text-align: left;">
45 |                                     <!-- xss here! -->
46 |                                     <p>{{articles['content']|safe}}</p>
47 |                        
48 |                                 </td>
49 |                             </tr>
50 |                         </tbody>
51 |                     </table>
52 | 
53 |                     <table class="table table-condensed">
54 |                         <thead>
55 |                             <tr>
56 |                                 <td>
57 |                                     <span style='float:right'>
58 |                                         <button type="button" id="list" class="btn btn-default" onclick="location.replace('/board');">목록</button>
59 |                                         <button type="button" id="write" class="btn btn-default" onclick="location.replace('/write');">글쓰기</button>
60 |                                     </span>
61 |                                 </td>
62 |                             </tr>
63 |                         </thead>
64 |                     </table>
65 | 								</div>
66 |             </div>
67 |             <hr/>
68 |           </div>
69 |         </div>    
70 | 		</div>
71 | 		
72 | 	</section>
73 | 
74 | 	<script src="/static/js/jquery.min.js"></script>
75 |   <script src="/static/js/popper.js"></script>
76 |   <script src="/static/js/bootstrap.min.js"></script>
77 |   <script src="/static/js/main.js"></script>
78 | 
79 | 	</body>
80 | </html>


--------------------------------------------------------------------------------
/app/challenges/csrf2/templates/write.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-CSRF2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_cancel(){
15 | 			location.replace(`/board`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-CSRF2</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 | 				 <form id="writeForm" name="writeForm" method="post" enctype="multipart/form-data">
30 | 				        <div>
31 | 				            <h2 class="text-center mb-4">글쓰기</h2>
32 | 				            <div>
33 | 				                <div class="mb-3">
34 | 				                  <label class="form-label">제목</label>
35 | 				                  <input class="form-control" type="text" id="subject" name="subject">
36 | 				                </div>
37 | 				                <div class="mb-3">
38 | 				                  <label class="form-label">작성자</label>
39 | 				                  <input class="form-control" type="text" id="author" name="author" value="{{loginid}}" readonly>
40 | 				                </div>
41 | 				                <div class="mb-3">
42 | 				                  <label class="form-label">내용</label>
43 | 				                  <textarea class="form-control" rows="10" cols="10" id="content" name="content"></textarea>
44 | 				                </div>
45 | 				                <div>
46 | 				                	<center>
47 | 				                    <input class="btn btn-success btn-lg" type="submit" value="글쓰기">
48 | 				              			<input class="btn btn-info btn-lg" onClick='fn_cancel()' value="목록">
49 | 				              		</center>
50 | 				                </div>
51 | 
52 | 				              
53 | 				            </div>
54 | 				        </div>
55 | 				    </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xsleak/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/challenges/xsleak/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSLEAK</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSLEAK</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in articles %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>            
51 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
52 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
53 |         </div>
54 |     	</center>
55 |     </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xsleak/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN-XSLEAK</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN-XSLEAK</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/challenges/xsleak/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER-XSLEAK</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER-XSLEAK</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/xsleak/templates/view.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSLEAK</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 |     
14 |   </head>
15 | 	<body>
16 | 	<section class="ftco-section">
17 | 		
18 | 		<div class="container" style="max-width: 100%;">
19 | 			<div class="row justify-content-center">
20 | 				<div class="col-md-6 text-center mb-5" >
21 | 					<h2 class="heading-section">Mini CTF BOARD-XSLEAK</h2>
22 | 				</div>
23 | 			</div>
24 | 			
25 | 			 <div class="container" class="row justify-content-center">
26 |             <hr/>
27 |             <div class="col-md-6 text-center mb-5" style="max-width: 100%;">
28 |                 <div>
29 |                     <table class="table table-condensed">
30 |                         <thead>
31 |                             <tr align="left">
32 |                                 <th width="15%">제목</th>
33 |                                 <th width="85%">{{articles['subject']}}</th>
34 |                             </tr>
35 |                         </thead>
36 |                         <tbody>
37 |                             <tr align="left">
38 |                                 <td>글쓴이
39 |                                 </td>
40 |                                 <td>
41 |                                 {{articles['author']}}
42 |                                 </td>
43 |                             </tr>
44 |                             <tr>
45 |                                 <td colspan="2" style="text-align: left;">
46 |                                     <!-- vuln here! -->
47 |                                     <p>{{articles['content']|safe}}</p>
48 |                                     <a href="javascript:alert('{{articles['flag']}}')">flag!</a>
49 |                                 </td>
50 |                             </tr>
51 |                         </tbody>
52 |                     </table>
53 | 
54 |                     <table class="table table-condensed">
55 |                         <thead>
56 |                             <tr>
57 |                                 <td>
58 |                                     <span style='float:right'>
59 |                                         <button type="button" id="list" class="btn btn-default" onclick="location.replace('/board');">목록</button>
60 |                                         <button type="button" id="write" class="btn btn-default" onclick="location.replace('/write');">글쓰기</button>
61 |                                     </span>
62 |                                 </td>
63 |                             </tr>
64 |                         </thead>
65 |                     </table>
66 | 								</div>
67 |             </div>
68 |             <hr/>
69 |           </div>
70 |         </div>    
71 | 		</div>
72 | 		
73 | 	</section>
74 | 
75 | 	<script src="/static/js/jquery.min.js"></script>
76 |   <script src="/static/js/popper.js"></script>
77 |   <script src="/static/js/bootstrap.min.js"></script>
78 |   <script src="/static/js/main.js"></script>
79 | 
80 | 	</body>
81 | </html>


--------------------------------------------------------------------------------
/app/challenges/xsleak/templates/write.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSLEAK</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_cancel(){
15 | 			location.replace(`/board`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSLEAK</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 | 				 <form id="writeForm" name="writeForm" method="post" enctype="multipart/form-data">
30 | 				        <div>
31 | 				            <h2 class="text-center mb-4">글쓰기</h2>
32 | 				            <div>
33 | 				                <div class="mb-3">
34 | 				                  <label class="form-label">제목</label>
35 | 				                  <input class="form-control" type="text" id="subject" name="subject">
36 | 				                </div>
37 | 				                <div class="mb-3">
38 | 				                  <label class="form-label">작성자</label>
39 | 				                  <input class="form-control" type="text" id="author" name="author" value="{{loginid}}" readonly>
40 | 				                </div>
41 | 				                <div class="mb-3">
42 | 				                  <label class="form-label">내용</label>
43 | 				                  <textarea class="form-control" rows="10" cols="10" id="content" name="content"></textarea>
44 | 				                </div>
45 | 				                <div>
46 | 				                	<center>
47 | 				                    <input class="btn btn-success btn-lg" type="submit" value="글쓰기">
48 | 				              			<input class="btn btn-info btn-lg" onClick='fn_cancel()' value="목록">
49 | 				              		</center>
50 | 				                </div>
51 | 
52 | 				              
53 | 				            </div>
54 | 				        </div>
55 | 				    </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xsleak/xsleak.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {
 13 |     "admin":os.getenv("admin_password")
 14 | }
 15 | 
 16 | articles = []
 17 | 
 18 | def sessionCheck(loginCheck=False):   
 19 |     if loginCheck:
 20 |         if "isLogin" not in flask.session:
 21 |             return False
 22 |         else:
 23 |             return True
 24 | 
 25 |     if "isLogin" in flask.session:
 26 |         return True
 27 |     
 28 |     return False
 29 | 
 30 | def xsscheck(content):
 31 |     content = content.lower()
 32 |     vulns = ["javascript", "script", "frame", "object", "embed", "on", "data", "base", "\\u", "&#", "alert", "fetch", "XMLHttpRequest", "eval", "constructor"]
 33 |     for char in vulns:
 34 |         if char in content:
 35 |             return True
 36 | 
 37 |     return False
 38 | 
 39 | 
 40 | @app.route("/")
 41 | def index():
 42 |     if sessionCheck(loginCheck=True):
 43 |         return flask.redirect(flask.url_for("board"))
 44 | 
 45 |     return flask.redirect(flask.url_for("login"))
 46 | 
 47 | 
 48 | 
 49 | @app.route("/login", methods=["GET","POST"])
 50 | def login():
 51 |     if flask.request.method == "GET":
 52 |         if sessionCheck(loginCheck=True):
 53 |             return flask.redirect(flask.url_for("board"))
 54 |         
 55 |         return flask.render_template("login.html", msg="false")
 56 |     else:
 57 |         if sessionCheck():
 58 |             return flask.redirect(flask.url_for("board"))
 59 |         
 60 |         userid = flask.request.form["userid"]
 61 |         userpw = flask.request.form["userpw"]
 62 |         
 63 |         if userid in ids:
 64 |             if ids[userid] == userpw:
 65 |                 flask.session["userid"] = userid
 66 |                 flask.session["isLogin"] = True
 67 |                     
 68 |                 resp = flask.make_response(flask.redirect(flask.url_for("board")))
 69 |                 resp.set_cookie('userid', flask.session["userid"])
 70 |                 return resp
 71 |             else:
 72 |                 return flask.render_template("login.html", msg="login fail")
 73 |         else:
 74 |             return flask.render_template("login.html", msg="login fail")
 75 | 
 76 | 
 77 | @app.route("/register", methods=["GET","POST"])
 78 | def register():
 79 |     if flask.request.method == "GET":
 80 |         if sessionCheck(loginCheck=True):
 81 |             return flask.redirect(flask.url_for("board"))
 82 |         
 83 |         return flask.render_template("register.html", msg="false")
 84 |     else:
 85 |         if sessionCheck():
 86 |             return flask.redirect(flask.url_for("board"))
 87 | 
 88 |         userid = flask.request.form["userid"] 
 89 |         userpw = flask.request.form["userpw"]
 90 |         
 91 |         if userid not in ids:
 92 |             ids[userid] = userpw
 93 |             return flask.render_template("login.html", msg="false")
 94 |         else:
 95 |             return flask.render_template("register.html", msg="already registered id")
 96 | 
 97 | 
 98 | @app.route("/logout")
 99 | def logout():
100 |     flask.session.pop('isLogin', False)
101 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
102 |     resp.set_cookie('userid', expires=0)
103 |     return resp
104 | 
105 | 
106 | @app.route("/board", methods=["GET"])
107 | def board():
108 |     if not sessionCheck(loginCheck=True):
109 |         return flask.redirect(flask.url_for("login"))
110 |     results = []
111 |     for i in articles:
112 |         if i["author"] == flask.session["userid"] or flask.session["userid"] == "admin" or i["author"] == "admin":
113 |             results.append(i)
114 |     return flask.render_template("board.html", articles=results)
115 | 
116 | 
117 | @app.route("/board/<seq>")
118 | def viewboard(seq):
119 |     if not sessionCheck(loginCheck=True):
120 |         return flask.redirect(flask.url_for("login"))
121 | 
122 |     article = articles[int(seq)]
123 |     if article["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
124 |         article["flag"] = os.getenv("xsleak_flag") if flask.session["userid"] == "admin" else "no flag to user"
125 |         return flask.render_template("view.html", articles=article)
126 |     else:
127 |         return "<script>alert('This is not your article');location.replace('/');</script>"
128 | 
129 | 
130 | @app.route("/write", methods=["GET", "POST"])
131 | def write():
132 |     if not sessionCheck(loginCheck=True):
133 |         return flask.redirect(flask.url_for("login"))
134 | 
135 |     if flask.request.method == "GET":
136 |         return flask.render_template("write.html", loginid=flask.session["userid"])
137 | 
138 |     elif flask.request.method == "POST":
139 |         subject = flask.request.form["subject"]
140 |         author = flask.request.form["author"]
141 |         content = flask.request.form["content"]
142 |         
143 |         if not xsscheck(content):
144 |             req = {
145 |                 'seq':len(articles),
146 |                 'subject':subject,
147 |                 'author':flask.session['userid'],
148 |                 'content':content
149 |             }
150 | 
151 |             articles.append(req)
152 | 
153 |             return flask.redirect(flask.url_for("board"))
154 |         else:
155 |             return '<script>alert("no hack");history.go(-1);</script>'
156 | 
157 | 
158 | @app.route("/report", methods=["GET", "POST"])
159 | def report():
160 |     if flask.request.method == "GET":
161 |         return '''
162 |         <form method="POST" action="/report">
163 |             <input type="text" name="url" placeholder="input url..." style="width:25%; height: 7%;">
164 |             <input type="submit" value="submit">
165 |         </form>
166 |         '''
167 |     elif flask.request.method == "POST":
168 |         url = flask.request.form['url']
169 |         requests.post(f"http://arang_client:9000/run", data=f"chal=xsleak&url={url}", headers={"Content-Type":"application/x-www-form-urlencoded", "Content-Length":"1"})
170 |         return "<script>history.go(-1);</script>"
171 | 
172 | 
173 | if __name__ == "__main__":
174 |     try:
175 |         app.run(host="0.0.0.0", port=9006, debug=True)
176 |     except Exception as ex:
177 |         logging.info(str(ex))
178 |         pass
179 | 


--------------------------------------------------------------------------------
/app/challenges/xss1/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/challenges/xss1/static/js/popper.js:
--------------------------------------------------------------------------------
1 | /*
2 |  Copyright (C) Federico Zivolo 2019
3 |  Distributed under the MIT License (license terms are at http://opensource.org/licenses/MIT).
4 |  */(function(e,t){'object'==typeof exports&&'undefined'!=typeof module?module.exports=t():'function'==typeof define&&define.amd?define(t):e.Popper=t()})(this,function(){'use strict';function e(e){return e&&'[object Function]'==={}.toString.call(e)}function t(e,t){if(1!==e.nodeType)return[];var o=e.ownerDocument.defaultView,n=o.getComputedStyle(e,null);return t?n[t]:n}function o(e){return'HTML'===e.nodeName?e:e.parentNode||e.host}function n(e){if(!e)return document.body;switch(e.nodeName){case'HTML':case'BODY':return e.ownerDocument.body;case'#document':return e.body;}var i=t(e),r=i.overflow,p=i.overflowX,s=i.overflowY;return /(auto|scroll|overlay)/.test(r+s+p)?e:n(o(e))}function r(e){return 11===e?pe:10===e?se:pe||se}function p(e){if(!e)return document.documentElement;for(var o=r(10)?document.body:null,n=e.offsetParent||null;n===o&&e.nextElementSibling;)n=(e=e.nextElementSibling).offsetParent;var i=n&&n.nodeName;return i&&'BODY'!==i&&'HTML'!==i?-1!==['TH','TD','TABLE'].indexOf(n.nodeName)&&'static'===t(n,'position')?p(n):n:e?e.ownerDocument.documentElement:document.documentElement}function s(e){var t=e.nodeName;return'BODY'!==t&&('HTML'===t||p(e.firstElementChild)===e)}function d(e){return null===e.parentNode?e:d(e.parentNode)}function a(e,t){if(!e||!e.nodeType||!t||!t.nodeType)return document.documentElement;var o=e.compareDocumentPosition(t)&Node.DOCUMENT_POSITION_FOLLOWING,n=o?e:t,i=o?t:e,r=document.createRange();r.setStart(n,0),r.setEnd(i,0);var l=r.commonAncestorContainer;if(e!==l&&t!==l||n.contains(i))return s(l)?l:p(l);var f=d(e);return f.host?a(f.host,t):a(e,d(t).host)}function l(e){var t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:'top',o='top'===t?'scrollTop':'scrollLeft',n=e.nodeName;if('BODY'===n||'HTML'===n){var i=e.ownerDocument.documentElement,r=e.ownerDocument.scrollingElement||i;return r[o]}return e[o]}function f(e,t){var o=2<arguments.length&&void 0!==arguments[2]&&arguments[2],n=l(t,'top'),i=l(t,'left'),r=o?-1:1;return e.top+=n*r,e.bottom+=n*r,e.left+=i*r,e.right+=i*r,e}function m(e,t){var o='x'===t?'Left':'Top',n='Left'==o?'Right':'Bottom';return parseFloat(e['border'+o+'Width'],10)+parseFloat(e['border'+n+'Width'],10)}function h(e,t,o,n){return ee(t['offset'+e],t['scroll'+e],o['client'+e],o['offset'+e],o['scroll'+e],r(10)?parseInt(o['offset'+e])+parseInt(n['margin'+('Height'===e?'Top':'Left')])+parseInt(n['margin'+('Height'===e?'Bottom':'Right')]):0)}function c(e){var t=e.body,o=e.documentElement,n=r(10)&&getComputedStyle(o);return{height:h('Height',t,o,n),width:h('Width',t,o,n)}}function g(e){return fe({},e,{right:e.left+e.width,bottom:e.top+e.height})}function u(e){var o={};try{if(r(10)){o=e.getBoundingClientRect();var n=l(e,'top'),i=l(e,'left');o.top+=n,o.left+=i,o.bottom+=n,o.right+=i}else o=e.getBoundingClientRect()}catch(t){}var p={left:o.left,top:o.top,width:o.right-o.left,height:o.bottom-o.top},s='HTML'===e.nodeName?c(e.ownerDocument):{},d=s.width||e.clientWidth||p.right-p.left,a=s.height||e.clientHeight||p.bottom-p.top,f=e.offsetWidth-d,h=e.offsetHeight-a;if(f||h){var u=t(e);f-=m(u,'x'),h-=m(u,'y'),p.width-=f,p.height-=h}return g(p)}function b(e,o){var i=2<arguments.length&&void 0!==arguments[2]&&arguments[2],p=r(10),s='HTML'===o.nodeName,d=u(e),a=u(o),l=n(e),m=t(o),h=parseFloat(m.borderTopWidth,10),c=parseFloat(m.borderLeftWidth,10);i&&s&&(a.top=ee(a.top,0),a.left=ee(a.left,0));var b=g({top:d.top-a.top-h,left:d.left-a.left-c,width:d.width,height:d.height});if(b.marginTop=0,b.marginLeft=0,!p&&s){var w=parseFloat(m.marginTop,10),y=parseFloat(m.marginLeft,10);b.top-=h-w,b.bottom-=h-w,b.left-=c-y,b.right-=c-y,b.marginTop=w,b.marginLeft=y}return(p&&!i?o.contains(l):o===l&&'BODY'!==l.nodeName)&&(b=f(b,o)),b}function w(e){var t=1<arguments.length&&void 0!==arguments[1]&&arguments[1],o=e.ownerDocument.documentElement,n=b(e,o),i=ee(o.clientWidth,window.innerWidth||0),r=ee(o.clientHeight,window.innerHeight||0),p=t?0:l(o),s=t?0:l(o,'left'),d={top:p-n.top+n.marginTop,left:s-n.left+n.marginLeft,width:i,height:r};return g(d)}function y(e){var n=e.nodeName;if('BODY'===n||'HTML'===n)return!1;if('fixed'===t(e,'position'))return!0;var i=o(e);return!!i&&y(i)}function E(e){if(!e||!e.parentElement||r())return document.documentElement;for(var o=e.parentElement;o&&'none'===t(o,'transform');)o=o.parentElement;return o||document.documentElement}function v(e,t,i,r){var p=4<arguments.length&&void 0!==arguments[4]&&arguments[4],s={top:0,left:0},d=p?E(e):a(e,t);if('viewport'===r)s=w(d,p);else{var l;'scrollParent'===r?(l=n(o(t)),'BODY'===l.nodeName&&(l=e.ownerDocument.documentElement)):'window'===r?l=e.ownerDocument.documentElement:l=r;var f=b(l,d,p);if('HTML'===l.nodeName&&!y(d)){var m=c(e.ownerDocument),h=m.height,g=m.width;s.top+=f.top-f.marginTop,s.bottom=h+f.top,s.left+=f.left-f.marginLeft,s.right=g+f.left}else s=f}i=i||0;var u='number'==typeof i;return s.left+=u?i:i.left||0,s.top+=u?i:i.top||0,s.right-=u?i:i.right||0,s.bottom-=u?i:i.bottom||0,s}function x(e){var t=e.width,o=e.height;return t*o}function O(e,t,o,n,i){var r=5<arguments.length&&void 0!==arguments[5]?arguments[5]:0;if(-1===e.indexOf('auto'))return e;var p=v(o,n,r,i),s={top:{width:p.width,height:t.top-p.top},right:{width:p.right-t.right,height:p.height},bottom:{width:p.width,height:p.bottom-t.bottom},left:{width:t.left-p.left,height:p.height}},d=Object.keys(s).map(function(e){return fe({key:e},s[e],{area:x(s[e])})}).sort(function(e,t){return t.area-e.area}),a=d.filter(function(e){var t=e.width,n=e.height;return t>=o.clientWidth&&n>=o.clientHeight}),l=0<a.length?a[0].key:d[0].key,f=e.split('-')[1];return l+(f?'-'+f:'')}function L(e,t,o){var n=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null,i=n?E(t):a(t,o);return b(o,i,n)}function S(e){var t=e.ownerDocument.defaultView,o=t.getComputedStyle(e),n=parseFloat(o.marginTop||0)+parseFloat(o.marginBottom||0),i=parseFloat(o.marginLeft||0)+parseFloat(o.marginRight||0),r={width:e.offsetWidth+i,height:e.offsetHeight+n};return r}function T(e){var t={left:'right',right:'left',bottom:'top',top:'bottom'};return e.replace(/left|right|bottom|top/g,function(e){return t[e]})}function D(e,t,o){o=o.split('-')[0];var n=S(e),i={width:n.width,height:n.height},r=-1!==['right','left'].indexOf(o),p=r?'top':'left',s=r?'left':'top',d=r?'height':'width',a=r?'width':'height';return i[p]=t[p]+t[d]/2-n[d]/2,i[s]=o===s?t[s]-n[a]:t[T(s)],i}function C(e,t){return Array.prototype.find?e.find(t):e.filter(t)[0]}function N(e,t,o){if(Array.prototype.findIndex)return e.findIndex(function(e){return e[t]===o});var n=C(e,function(e){return e[t]===o});return e.indexOf(n)}function P(t,o,n){var i=void 0===n?t:t.slice(0,N(t,'name',n));return i.forEach(function(t){t['function']&&console.warn('`modifier.function` is deprecated, use `modifier.fn`!');var n=t['function']||t.fn;t.enabled&&e(n)&&(o.offsets.popper=g(o.offsets.popper),o.offsets.reference=g(o.offsets.reference),o=n(o,t))}),o}function k(){if(!this.state.isDestroyed){var e={instance:this,styles:{},arrowStyles:{},attributes:{},flipped:!1,offsets:{}};e.offsets.reference=L(this.state,this.popper,this.reference,this.options.positionFixed),e.placement=O(this.options.placement,e.offsets.reference,this.popper,this.reference,this.options.modifiers.flip.boundariesElement,this.options.modifiers.flip.padding),e.originalPlacement=e.placement,e.positionFixed=this.options.positionFixed,e.offsets.popper=D(this.popper,e.offsets.reference,e.placement),e.offsets.popper.position=this.options.positionFixed?'fixed':'absolute',e=P(this.modifiers,e),this.state.isCreated?this.options.onUpdate(e):(this.state.isCreated=!0,this.options.onCreate(e))}}function W(e,t){return e.some(function(e){var o=e.name,n=e.enabled;return n&&o===t})}function H(e){for(var t=[!1,'ms','Webkit','Moz','O'],o=e.charAt(0).toUpperCase()+e.slice(1),n=0;n<t.length;n++){var i=t[n],r=i?''+i+o:e;if('undefined'!=typeof document.body.style[r])return r}return null}function B(){return this.state.isDestroyed=!0,W(this.modifiers,'applyStyle')&&(this.popper.removeAttribute('x-placement'),this.popper.style.position='',this.popper.style.top='',this.popper.style.left='',this.popper.style.right='',this.popper.style.bottom='',this.popper.style.willChange='',this.popper.style[H('transform')]=''),this.disableEventListeners(),this.options.removeOnDestroy&&this.popper.parentNode.removeChild(this.popper),this}function A(e){var t=e.ownerDocument;return t?t.defaultView:window}function M(e,t,o,i){var r='BODY'===e.nodeName,p=r?e.ownerDocument.defaultView:e;p.addEventListener(t,o,{passive:!0}),r||M(n(p.parentNode),t,o,i),i.push(p)}function F(e,t,o,i){o.updateBound=i,A(e).addEventListener('resize',o.updateBound,{passive:!0});var r=n(e);return M(r,'scroll',o.updateBound,o.scrollParents),o.scrollElement=r,o.eventsEnabled=!0,o}function I(){this.state.eventsEnabled||(this.state=F(this.reference,this.options,this.state,this.scheduleUpdate))}function R(e,t){return A(e).removeEventListener('resize',t.updateBound),t.scrollParents.forEach(function(e){e.removeEventListener('scroll',t.updateBound)}),t.updateBound=null,t.scrollParents=[],t.scrollElement=null,t.eventsEnabled=!1,t}function U(){this.state.eventsEnabled&&(cancelAnimationFrame(this.scheduleUpdate),this.state=R(this.reference,this.state))}function Y(e){return''!==e&&!isNaN(parseFloat(e))&&isFinite(e)}function j(e,t){Object.keys(t).forEach(function(o){var n='';-1!==['width','height','top','right','bottom','left'].indexOf(o)&&Y(t[o])&&(n='px'),e.style[o]=t[o]+n})}function V(e,t){Object.keys(t).forEach(function(o){var n=t[o];!1===n?e.removeAttribute(o):e.setAttribute(o,t[o])})}function q(e,t){var o=e.offsets,n=o.popper,i=o.reference,r=$,p=function(e){return e},s=r(i.width),d=r(n.width),a=-1!==['left','right'].indexOf(e.placement),l=-1!==e.placement.indexOf('-'),f=t?a||l||s%2==d%2?r:Z:p,m=t?r:p;return{left:f(1==s%2&&1==d%2&&!l&&t?n.left-1:n.left),top:m(n.top),bottom:m(n.bottom),right:f(n.right)}}function K(e,t,o){var n=C(e,function(e){var o=e.name;return o===t}),i=!!n&&e.some(function(e){return e.name===o&&e.enabled&&e.order<n.order});if(!i){var r='`'+t+'`';console.warn('`'+o+'`'+' modifier is required by '+r+' modifier in order to work, be sure to include it before '+r+'!')}return i}function z(e){return'end'===e?'start':'start'===e?'end':e}function G(e){var t=1<arguments.length&&void 0!==arguments[1]&&arguments[1],o=ce.indexOf(e),n=ce.slice(o+1).concat(ce.slice(0,o));return t?n.reverse():n}function _(e,t,o,n){var i=e.match(/((?:\-|\+)?\d*\.?\d*)(.*)/),r=+i[1],p=i[2];if(!r)return e;if(0===p.indexOf('%')){var s;switch(p){case'%p':s=o;break;case'%':case'%r':default:s=n;}var d=g(s);return d[t]/100*r}if('vh'===p||'vw'===p){var a;return a='vh'===p?ee(document.documentElement.clientHeight,window.innerHeight||0):ee(document.documentElement.clientWidth,window.innerWidth||0),a/100*r}return r}function X(e,t,o,n){var i=[0,0],r=-1!==['right','left'].indexOf(n),p=e.split(/(\+|\-)/).map(function(e){return e.trim()}),s=p.indexOf(C(p,function(e){return-1!==e.search(/,|\s/)}));p[s]&&-1===p[s].indexOf(',')&&console.warn('Offsets separated by white space(s) are deprecated, use a comma (,) instead.');var d=/\s*,\s*|\s+/,a=-1===s?[p]:[p.slice(0,s).concat([p[s].split(d)[0]]),[p[s].split(d)[1]].concat(p.slice(s+1))];return a=a.map(function(e,n){var i=(1===n?!r:r)?'height':'width',p=!1;return e.reduce(function(e,t){return''===e[e.length-1]&&-1!==['+','-'].indexOf(t)?(e[e.length-1]=t,p=!0,e):p?(e[e.length-1]+=t,p=!1,e):e.concat(t)},[]).map(function(e){return _(e,i,t,o)})}),a.forEach(function(e,t){e.forEach(function(o,n){Y(o)&&(i[t]+=o*('-'===e[n-1]?-1:1))})}),i}function J(e,t){var o,n=t.offset,i=e.placement,r=e.offsets,p=r.popper,s=r.reference,d=i.split('-')[0];return o=Y(+n)?[+n,0]:X(n,p,s,d),'left'===d?(p.top+=o[0],p.left-=o[1]):'right'===d?(p.top+=o[0],p.left+=o[1]):'top'===d?(p.left+=o[0],p.top-=o[1]):'bottom'===d&&(p.left+=o[0],p.top+=o[1]),e.popper=p,e}for(var Q=Math.min,Z=Math.floor,$=Math.round,ee=Math.max,te='undefined'!=typeof window&&'undefined'!=typeof document,oe=['Edge','Trident','Firefox'],ne=0,ie=0;ie<oe.length;ie+=1)if(te&&0<=navigator.userAgent.indexOf(oe[ie])){ne=1;break}var i=te&&window.Promise,re=i?function(e){var t=!1;return function(){t||(t=!0,window.Promise.resolve().then(function(){t=!1,e()}))}}:function(e){var t=!1;return function(){t||(t=!0,setTimeout(function(){t=!1,e()},ne))}},pe=te&&!!(window.MSInputMethodContext&&document.documentMode),se=te&&/MSIE 10/.test(navigator.userAgent),de=function(e,t){if(!(e instanceof t))throw new TypeError('Cannot call a class as a function')},ae=function(){function e(e,t){for(var o,n=0;n<t.length;n++)o=t[n],o.enumerable=o.enumerable||!1,o.configurable=!0,'value'in o&&(o.writable=!0),Object.defineProperty(e,o.key,o)}return function(t,o,n){return o&&e(t.prototype,o),n&&e(t,n),t}}(),le=function(e,t,o){return t in e?Object.defineProperty(e,t,{value:o,enumerable:!0,configurable:!0,writable:!0}):e[t]=o,e},fe=Object.assign||function(e){for(var t,o=1;o<arguments.length;o++)for(var n in t=arguments[o],t)Object.prototype.hasOwnProperty.call(t,n)&&(e[n]=t[n]);return e},me=te&&/Firefox/i.test(navigator.userAgent),he=['auto-start','auto','auto-end','top-start','top','top-end','right-start','right','right-end','bottom-end','bottom','bottom-start','left-end','left','left-start'],ce=he.slice(3),ge={FLIP:'flip',CLOCKWISE:'clockwise',COUNTERCLOCKWISE:'counterclockwise'},ue=function(){function t(o,n){var i=this,r=2<arguments.length&&void 0!==arguments[2]?arguments[2]:{};de(this,t),this.scheduleUpdate=function(){return requestAnimationFrame(i.update)},this.update=re(this.update.bind(this)),this.options=fe({},t.Defaults,r),this.state={isDestroyed:!1,isCreated:!1,scrollParents:[]},this.reference=o&&o.jquery?o[0]:o,this.popper=n&&n.jquery?n[0]:n,this.options.modifiers={},Object.keys(fe({},t.Defaults.modifiers,r.modifiers)).forEach(function(e){i.options.modifiers[e]=fe({},t.Defaults.modifiers[e]||{},r.modifiers?r.modifiers[e]:{})}),this.modifiers=Object.keys(this.options.modifiers).map(function(e){return fe({name:e},i.options.modifiers[e])}).sort(function(e,t){return e.order-t.order}),this.modifiers.forEach(function(t){t.enabled&&e(t.onLoad)&&t.onLoad(i.reference,i.popper,i.options,t,i.state)}),this.update();var p=this.options.eventsEnabled;p&&this.enableEventListeners(),this.state.eventsEnabled=p}return ae(t,[{key:'update',value:function(){return k.call(this)}},{key:'destroy',value:function(){return B.call(this)}},{key:'enableEventListeners',value:function(){return I.call(this)}},{key:'disableEventListeners',value:function(){return U.call(this)}}]),t}();return ue.Utils=('undefined'==typeof window?global:window).PopperUtils,ue.placements=he,ue.Defaults={placement:'bottom',positionFixed:!1,eventsEnabled:!0,removeOnDestroy:!1,onCreate:function(){},onUpdate:function(){},modifiers:{shift:{order:100,enabled:!0,fn:function(e){var t=e.placement,o=t.split('-')[0],n=t.split('-')[1];if(n){var i=e.offsets,r=i.reference,p=i.popper,s=-1!==['bottom','top'].indexOf(o),d=s?'left':'top',a=s?'width':'height',l={start:le({},d,r[d]),end:le({},d,r[d]+r[a]-p[a])};e.offsets.popper=fe({},p,l[n])}return e}},offset:{order:200,enabled:!0,fn:J,offset:0},preventOverflow:{order:300,enabled:!0,fn:function(e,t){var o=t.boundariesElement||p(e.instance.popper);e.instance.reference===o&&(o=p(o));var n=H('transform'),i=e.instance.popper.style,r=i.top,s=i.left,d=i[n];i.top='',i.left='',i[n]='';var a=v(e.instance.popper,e.instance.reference,t.padding,o,e.positionFixed);i.top=r,i.left=s,i[n]=d,t.boundaries=a;var l=t.priority,f=e.offsets.popper,m={primary:function(e){var o=f[e];return f[e]<a[e]&&!t.escapeWithReference&&(o=ee(f[e],a[e])),le({},e,o)},secondary:function(e){var o='right'===e?'left':'top',n=f[o];return f[e]>a[e]&&!t.escapeWithReference&&(n=Q(f[o],a[e]-('right'===e?f.width:f.height))),le({},o,n)}};return l.forEach(function(e){var t=-1===['left','top'].indexOf(e)?'secondary':'primary';f=fe({},f,m[t](e))}),e.offsets.popper=f,e},priority:['left','right','top','bottom'],padding:5,boundariesElement:'scrollParent'},keepTogether:{order:400,enabled:!0,fn:function(e){var t=e.offsets,o=t.popper,n=t.reference,i=e.placement.split('-')[0],r=Z,p=-1!==['top','bottom'].indexOf(i),s=p?'right':'bottom',d=p?'left':'top',a=p?'width':'height';return o[s]<r(n[d])&&(e.offsets.popper[d]=r(n[d])-o[a]),o[d]>r(n[s])&&(e.offsets.popper[d]=r(n[s])),e}},arrow:{order:500,enabled:!0,fn:function(e,o){var n;if(!K(e.instance.modifiers,'arrow','keepTogether'))return e;var i=o.element;if('string'==typeof i){if(i=e.instance.popper.querySelector(i),!i)return e;}else if(!e.instance.popper.contains(i))return console.warn('WARNING: `arrow.element` must be child of its popper element!'),e;var r=e.placement.split('-')[0],p=e.offsets,s=p.popper,d=p.reference,a=-1!==['left','right'].indexOf(r),l=a?'height':'width',f=a?'Top':'Left',m=f.toLowerCase(),h=a?'left':'top',c=a?'bottom':'right',u=S(i)[l];d[c]-u<s[m]&&(e.offsets.popper[m]-=s[m]-(d[c]-u)),d[m]+u>s[c]&&(e.offsets.popper[m]+=d[m]+u-s[c]),e.offsets.popper=g(e.offsets.popper);var b=d[m]+d[l]/2-u/2,w=t(e.instance.popper),y=parseFloat(w['margin'+f],10),E=parseFloat(w['border'+f+'Width'],10),v=b-e.offsets.popper[m]-y-E;return v=ee(Q(s[l]-u,v),0),e.arrowElement=i,e.offsets.arrow=(n={},le(n,m,$(v)),le(n,h,''),n),e},element:'[x-arrow]'},flip:{order:600,enabled:!0,fn:function(e,t){if(W(e.instance.modifiers,'inner'))return e;if(e.flipped&&e.placement===e.originalPlacement)return e;var o=v(e.instance.popper,e.instance.reference,t.padding,t.boundariesElement,e.positionFixed),n=e.placement.split('-')[0],i=T(n),r=e.placement.split('-')[1]||'',p=[];switch(t.behavior){case ge.FLIP:p=[n,i];break;case ge.CLOCKWISE:p=G(n);break;case ge.COUNTERCLOCKWISE:p=G(n,!0);break;default:p=t.behavior;}return p.forEach(function(s,d){if(n!==s||p.length===d+1)return e;n=e.placement.split('-')[0],i=T(n);var a=e.offsets.popper,l=e.offsets.reference,f=Z,m='left'===n&&f(a.right)>f(l.left)||'right'===n&&f(a.left)<f(l.right)||'top'===n&&f(a.bottom)>f(l.top)||'bottom'===n&&f(a.top)<f(l.bottom),h=f(a.left)<f(o.left),c=f(a.right)>f(o.right),g=f(a.top)<f(o.top),u=f(a.bottom)>f(o.bottom),b='left'===n&&h||'right'===n&&c||'top'===n&&g||'bottom'===n&&u,w=-1!==['top','bottom'].indexOf(n),y=!!t.flipVariations&&(w&&'start'===r&&h||w&&'end'===r&&c||!w&&'start'===r&&g||!w&&'end'===r&&u);(m||b||y)&&(e.flipped=!0,(m||b)&&(n=p[d+1]),y&&(r=z(r)),e.placement=n+(r?'-'+r:''),e.offsets.popper=fe({},e.offsets.popper,D(e.instance.popper,e.offsets.reference,e.placement)),e=P(e.instance.modifiers,e,'flip'))}),e},behavior:'flip',padding:5,boundariesElement:'viewport'},inner:{order:700,enabled:!1,fn:function(e){var t=e.placement,o=t.split('-')[0],n=e.offsets,i=n.popper,r=n.reference,p=-1!==['left','right'].indexOf(o),s=-1===['top','left'].indexOf(o);return i[p?'left':'top']=r[o]-(s?i[p?'width':'height']:0),e.placement=T(t),e.offsets.popper=g(i),e}},hide:{order:800,enabled:!0,fn:function(e){if(!K(e.instance.modifiers,'hide','preventOverflow'))return e;var t=e.offsets.reference,o=C(e.instance.modifiers,function(e){return'preventOverflow'===e.name}).boundaries;if(t.bottom<o.top||t.left>o.right||t.top>o.bottom||t.right<o.left){if(!0===e.hide)return e;e.hide=!0,e.attributes['x-out-of-boundaries']=''}else{if(!1===e.hide)return e;e.hide=!1,e.attributes['x-out-of-boundaries']=!1}return e}},computeStyle:{order:850,enabled:!0,fn:function(e,t){var o=t.x,n=t.y,i=e.offsets.popper,r=C(e.instance.modifiers,function(e){return'applyStyle'===e.name}).gpuAcceleration;void 0!==r&&console.warn('WARNING: `gpuAcceleration` option moved to `computeStyle` modifier and will not be supported in future versions of Popper.js!');var s,d,a=void 0===r?t.gpuAcceleration:r,l=p(e.instance.popper),f=u(l),m={position:i.position},h=q(e,2>window.devicePixelRatio||!me),c='bottom'===o?'top':'bottom',g='right'===n?'left':'right',b=H('transform');if(d='bottom'==c?'HTML'===l.nodeName?-l.clientHeight+h.bottom:-f.height+h.bottom:h.top,s='right'==g?'HTML'===l.nodeName?-l.clientWidth+h.right:-f.width+h.right:h.left,a&&b)m[b]='translate3d('+s+'px, '+d+'px, 0)',m[c]=0,m[g]=0,m.willChange='transform';else{var w='bottom'==c?-1:1,y='right'==g?-1:1;m[c]=d*w,m[g]=s*y,m.willChange=c+', '+g}var E={"x-placement":e.placement};return e.attributes=fe({},E,e.attributes),e.styles=fe({},m,e.styles),e.arrowStyles=fe({},e.offsets.arrow,e.arrowStyles),e},gpuAcceleration:!0,x:'bottom',y:'right'},applyStyle:{order:900,enabled:!0,fn:function(e){return j(e.instance.popper,e.styles),V(e.instance.popper,e.attributes),e.arrowElement&&Object.keys(e.arrowStyles).length&&j(e.arrowElement,e.arrowStyles),e},onLoad:function(e,t,o,n,i){var r=L(i,t,e,o.positionFixed),p=O(o.placement,r,t,e,o.modifiers.flip.boundariesElement,o.modifiers.flip.padding);return t.setAttribute('x-placement',p),j(t,{position:o.positionFixed?'fixed':'absolute'}),o},gpuAcceleration:void 0}}},ue});
5 | //# sourceMappingURL=popper.min.js.map


--------------------------------------------------------------------------------
/app/challenges/xss1/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSS1</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in articles %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>
51 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
52 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
53 |         </div>
54 |     	</center>
55 |     </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss1/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN-XSS1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN-XSS1</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss1/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER-XSS1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER-XSS1</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss1/templates/view.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS1</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 |   </head>
14 | 	<body>
15 | 	<section class="ftco-section">
16 | 		
17 | 		<div class="container" style="max-width: 100%;">
18 | 			<div class="row justify-content-center">
19 | 				<div class="col-md-6 text-center mb-5" >
20 | 					<h2 class="heading-section">Mini CTF BOARD-XSS1</h2>
21 | 				</div>
22 | 			</div>
23 | 			
24 | 			 <div class="container" class="row justify-content-center">
25 |             <hr/>
26 |             <div class="col-md-6 text-center mb-5" style="max-width: 100%;">
27 |                 <div>
28 |                     <table class="table table-condensed">
29 |                         <thead>
30 |                             <tr align="left">
31 |                                 <th width="15%">제목</th>
32 |                                 <th width="85%">{{articles['subject']}}</th>
33 |                             </tr>
34 |                         </thead>
35 |                         <tbody>
36 |                             <tr align="left">
37 |                                 <td>글쓴이
38 |                                 </td>
39 |                                 <td>
40 |                                 {{articles['author']}}
41 |                                 </td>
42 |                             </tr>
43 |                             <tr>
44 |                                 <td colspan="2" style="text-align: left;">
45 |                                     <!-- xss here! -->
46 |                                     <p>{{articles['content']|safe}}</p>
47 |                        
48 |                                 </td>
49 |                             </tr>
50 |                         </tbody>
51 |                     </table>
52 | 
53 |                     <table class="table table-condensed">
54 |                         <thead>
55 |                             <tr>
56 |                                 <td>
57 |                                     <span style='float:right'>
58 |                                         <button type="button" id="list" class="btn btn-default" onclick="location.replace('/board');">목록</button>
59 |                                         <button type="button" id="write" class="btn btn-default" onclick="location.replace('/write');">글쓰기</button>
60 |                                     </span>
61 |                                 </td>
62 |                             </tr>
63 |                         </thead>
64 |                     </table>
65 | 								</div>
66 |             </div>
67 |             <hr/>
68 |           </div>
69 |         </div>    
70 | 		</div>
71 | 		
72 | 	</section>
73 | 
74 | 	<script src="/static/js/jquery.min.js"></script>
75 |   <script src="/static/js/popper.js"></script>
76 |   <script src="/static/js/bootstrap.min.js"></script>
77 |   <script src="/static/js/main.js"></script>
78 | 
79 | 	</body>
80 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss1/templates/write.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_cancel(){
15 | 			location.replace(`/board`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSS1</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 | 				 <form id="writeForm" name="writeForm" method="post" enctype="multipart/form-data">
30 | 				        <div>
31 | 				            <h2 class="text-center mb-4">글쓰기</h2>
32 | 				            <div>
33 | 				                <div class="mb-3">
34 | 				                  <label class="form-label">제목</label>
35 | 				                  <input class="form-control" type="text" id="subject" name="subject">
36 | 				                </div>
37 | 				                <div class="mb-3">
38 | 				                  <label class="form-label">작성자</label>
39 | 				                  <input class="form-control" type="text" id="author" name="author" value="{{loginid}}" readonly>
40 | 				                </div>
41 | 				                <div class="mb-3">
42 | 				                  <label class="form-label">내용</label>
43 | 				                  <textarea class="form-control" rows="10" cols="10" id="content" name="content"></textarea>
44 | 				                </div>
45 | 				                <div>
46 | 				                	<center>
47 | 				                    <input class="btn btn-success btn-lg" type="submit" value="글쓰기">
48 | 				              			<input class="btn btn-info btn-lg" onClick='fn_cancel()' value="목록">
49 | 				              		</center>
50 | 				                </div>
51 | 
52 | 				              
53 | 				            </div>
54 | 				        </div>
55 | 				    </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss1/xss1.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {
 13 |     "admin":os.getenv("admin_password")
 14 | }
 15 | 
 16 | articles = []
 17 | 
 18 | def sessionCheck(loginCheck=False):   
 19 |     if loginCheck:
 20 |         if "isLogin" not in flask.session:
 21 |             return False
 22 |         else:
 23 |             return True
 24 | 
 25 |     if "isLogin" in flask.session:
 26 |         return True
 27 |     
 28 |     return False
 29 | 
 30 | 
 31 | @app.route("/")
 32 | def index():
 33 |     if sessionCheck(loginCheck=True):
 34 |         return flask.redirect(flask.url_for("board"))
 35 | 
 36 |     return flask.redirect(flask.url_for("login"))
 37 | 
 38 | 
 39 | 
 40 | @app.route("/login", methods=["GET","POST"])
 41 | def login():
 42 |     if flask.request.method == "GET":
 43 |         if sessionCheck(loginCheck=True):
 44 |             return flask.redirect(flask.url_for("board"))
 45 |         
 46 |         return flask.render_template("login.html", msg="false")
 47 |     else:
 48 |         if sessionCheck():
 49 |             return flask.redirect(flask.url_for("board"))
 50 |         
 51 |         userid = flask.request.form["userid"]
 52 |         userpw = flask.request.form["userpw"]
 53 |         
 54 |         if userid in ids:
 55 |             if ids[userid] == userpw:
 56 |                 flask.session["userid"] = userid
 57 |                 flask.session["isLogin"] = True
 58 |                     
 59 |                 resp = flask.make_response(flask.redirect(flask.url_for("board")))
 60 |                 resp.set_cookie('userid', flask.session["userid"])
 61 |                 if userid == "admin":
 62 |                     resp.set_cookie('flag', os.getenv("xss1_flag"))
 63 |                 return resp
 64 |             else:
 65 |                 return flask.render_template("login.html", msg="login fail")
 66 |         else:
 67 |             return flask.render_template("login.html", msg="login fail")
 68 | 
 69 | 
 70 | @app.route("/register", methods=["GET","POST"])
 71 | def register():
 72 |     if flask.request.method == "GET":
 73 |         if sessionCheck(loginCheck=True):
 74 |             return flask.redirect(flask.url_for("board"))
 75 |         
 76 |         return flask.render_template("register.html", msg="false")
 77 |     else:
 78 |         if sessionCheck():
 79 |             return flask.redirect(flask.url_for("board"))
 80 | 
 81 |         userid = flask.request.form["userid"] 
 82 |         userpw = flask.request.form["userpw"]
 83 |         
 84 |         if userid not in ids:
 85 |             ids[userid] = userpw
 86 |             return flask.render_template("login.html", msg="false")
 87 |         else:
 88 |             return flask.render_template("register.html", msg="already registered id")
 89 | 
 90 | @app.route("/logout")
 91 | def logout():
 92 |     flask.session.pop('isLogin', False)
 93 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
 94 |     resp.set_cookie('userid', expires=0)
 95 |     return resp
 96 | 
 97 | @app.route("/board", methods=["GET"])
 98 | def board():
 99 |     if not sessionCheck(loginCheck=True):
100 |         return flask.redirect(flask.url_for("login"))
101 |     results = []
102 |     for i in articles:
103 |         if i["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
104 |             results.append(i)
105 |     return flask.render_template("board.html", articles=results)
106 | 
107 | 
108 | @app.route("/board/<seq>")
109 | def viewboard(seq):
110 |     if not sessionCheck(loginCheck=True):
111 |         return flask.redirect(flask.url_for("login"))
112 | 
113 |     article = articles[int(seq)]
114 |     if article["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
115 |         return flask.render_template("view.html", articles=article)
116 |     else:
117 |         return "<script>alert('This is not your article');location.replace('/');</script>"
118 | 
119 | 
120 | @app.route("/write", methods=["GET", "POST"])
121 | def write():
122 |     if not sessionCheck(loginCheck=True):
123 |         return flask.redirect(flask.url_for("login"))
124 | 
125 |     if flask.request.method == "GET":
126 |         return flask.render_template("write.html", loginid=flask.session["userid"])
127 | 
128 |     elif flask.request.method == "POST":
129 |         subject = flask.request.form["subject"]
130 |         author = flask.request.form["author"]
131 |         content = flask.request.form["content"]
132 |         
133 |         req = {
134 |             'seq':len(articles),
135 |             'subject':subject,
136 |             'author':flask.session['userid'],
137 |             'content':content,
138 |         }
139 | 
140 |         articles.append(req)
141 | 
142 |         return flask.redirect(flask.url_for("board"))
143 | 
144 | 
145 | @app.route("/report", methods=["GET", "POST"])
146 | def report():
147 |     if flask.request.method == "GET":
148 |         return '''
149 |         <form method="POST" action="/report">
150 |             <input type="text" name="url" placeholder="input url..." style="width:25%; height: 7%;">
151 |             <input type="submit" value="submit">
152 |         </form>
153 |         '''
154 |     elif flask.request.method == "POST":
155 |         url = flask.request.form['url']
156 |         requests.post(f"http://arang_client:9000/run", data=f"chal=xss1&url={url}", headers={"Content-Type":"application/x-www-form-urlencoded", "Content-Length":"1"})
157 |         return "<script>history.go(-1);</script>"
158 | 
159 | 
160 | if __name__ == "__main__":
161 |     try:
162 |         app.run(host="0.0.0.0", port=9001, debug=True)
163 |     except Exception as ex:
164 |         logging.info(str(ex))
165 |         pass
166 | 


--------------------------------------------------------------------------------
/app/challenges/xss2/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/challenges/xss2/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSS2</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in articles %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>            
51 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
52 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
53 |         </div>
54 |     	</center>
55 |     </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss2/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN-XSS2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN-XSS2</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss2/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER-XSS2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER-XSS2</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss2/templates/view.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 |   </head>
14 | 	<body>
15 | 	<section class="ftco-section">
16 | 		
17 | 		<div class="container" style="max-width: 100%;">
18 | 			<div class="row justify-content-center">
19 | 				<div class="col-md-6 text-center mb-5" >
20 | 					<h2 class="heading-section">Mini CTF BOARD-XSS2</h2>
21 | 				</div>
22 | 			</div>
23 | 			
24 | 			 <div class="container" class="row justify-content-center">
25 |             <hr/>
26 |             <div class="col-md-6 text-center mb-5" style="max-width: 100%;">
27 |                 <div>
28 |                     <table class="table table-condensed">
29 |                         <thead>
30 |                             <tr align="left">
31 |                                 <th width="15%">제목</th>
32 |                                 <th width="85%">{{articles['subject']}}</th>
33 |                             </tr>
34 |                         </thead>
35 |                         <tbody>
36 |                             <tr align="left">
37 |                                 <td>글쓴이
38 |                                 </td>
39 |                                 <td>
40 |                                 {{articles['author']}}
41 |                                 </td>
42 |                             </tr>
43 |                             <tr>
44 |                                 <td colspan="2" style="text-align: left;">
45 |                                     <!-- xss here! -->
46 |                                     <p>{{articles['content']|safe}}</p>
47 |                        
48 |                                 </td>
49 |                             </tr>
50 |                         </tbody>
51 |                     </table>
52 | 
53 |                     <table class="table table-condensed">
54 |                         <thead>
55 |                             <tr>
56 |                                 <td>
57 |                                     <span style='float:right'>
58 |                                         <button type="button" id="list" class="btn btn-default" onclick="location.replace('/board');">목록</button>
59 |                                         <button type="button" id="write" class="btn btn-default" onclick="location.replace('/write');">글쓰기</button>
60 |                                     </span>
61 |                                 </td>
62 |                             </tr>
63 |                         </thead>
64 |                     </table>
65 | 								</div>
66 |             </div>
67 |             <hr/>
68 |           </div>
69 |         </div>    
70 | 		</div>
71 | 		
72 | 	</section>
73 | 
74 | 	<script src="/static/js/jquery.min.js"></script>
75 |   <script src="/static/js/popper.js"></script>
76 |   <script src="/static/js/bootstrap.min.js"></script>
77 |   <script src="/static/js/main.js"></script>
78 | 
79 | 	</body>
80 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss2/templates/write.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS2</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_cancel(){
15 | 			location.replace(`/board`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSS2</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 | 				 <form id="writeForm" name="writeForm" method="post" enctype="multipart/form-data">
30 | 				        <div>
31 | 				            <h2 class="text-center mb-4">글쓰기</h2>
32 | 				            <div>
33 | 				                <div class="mb-3">
34 | 				                  <label class="form-label">제목</label>
35 | 				                  <input class="form-control" type="text" id="subject" name="subject">
36 | 				                </div>
37 | 				                <div class="mb-3">
38 | 				                  <label class="form-label">작성자</label>
39 | 				                  <input class="form-control" type="text" id="author" name="author" value="{{loginid}}" readonly>
40 | 				                </div>
41 | 				                <div class="mb-3">
42 | 				                  <label class="form-label">내용</label>
43 | 				                  <textarea class="form-control" rows="10" cols="10" id="content" name="content"></textarea>
44 | 				                </div>
45 | 				                <div>
46 | 				                	<center>
47 | 				                    <input class="btn btn-success btn-lg" type="submit" value="글쓰기">
48 | 				              			<input class="btn btn-info btn-lg" onClick='fn_cancel()' value="목록">
49 | 				              		</center>
50 | 				                </div>
51 | 
52 | 				              
53 | 				            </div>
54 | 				        </div>
55 | 				    </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss2/xss2.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {
 13 |     "admin":os.getenv("admin_password")
 14 | }
 15 | 
 16 | articles = []
 17 | 
 18 | def sessionCheck(loginCheck=False):   
 19 |     if loginCheck:
 20 |         if "isLogin" not in flask.session:
 21 |             return False
 22 |         else:
 23 |             return True
 24 | 
 25 |     if "isLogin" in flask.session:
 26 |         return True
 27 |     
 28 |     return False
 29 | 
 30 | 
 31 | def xsscheck(content):
 32 |     content = content.lower()
 33 |     vulns = ["javascript", "script", "on", "data", "base", "(", ")", "'"]
 34 |     vulns += [chr(x) for x in range(0x20)]
 35 |     for char in vulns:
 36 |         if char in content:
 37 |             return True
 38 | 
 39 |     return False
 40 | 
 41 | 
 42 | @app.route("/")
 43 | def index():
 44 |     if sessionCheck(loginCheck=True):
 45 |         return flask.redirect(flask.url_for("board"))
 46 | 
 47 |     return flask.redirect(flask.url_for("login"))
 48 | 
 49 | 
 50 | 
 51 | @app.route("/login", methods=["GET","POST"])
 52 | def login():
 53 |     if flask.request.method == "GET":
 54 |         if sessionCheck(loginCheck=True):
 55 |             return flask.redirect(flask.url_for("board"))
 56 |         
 57 |         return flask.render_template("login.html", msg="false")
 58 |     else:
 59 |         if sessionCheck():
 60 |             return flask.redirect(flask.url_for("board"))
 61 |         
 62 |         userid = flask.request.form["userid"]
 63 |         userpw = flask.request.form["userpw"]
 64 |         
 65 |         if userid in ids:
 66 |             if ids[userid] == userpw:
 67 |                 flask.session["userid"] = userid
 68 |                 flask.session["isLogin"] = True
 69 |                     
 70 |                 resp = flask.make_response(flask.redirect(flask.url_for("board")))
 71 |                 resp.set_cookie('userid', flask.session["userid"])
 72 |                 if userid == "admin":
 73 |                     resp.set_cookie('flag', os.getenv("xss2_flag"))
 74 |                 return resp
 75 |             else:
 76 |                 return flask.render_template("login.html", msg="login fail")
 77 |         else:
 78 |             return flask.render_template("login.html", msg="login fail")
 79 | 
 80 | 
 81 | @app.route("/register", methods=["GET","POST"])
 82 | def register():
 83 |     if flask.request.method == "GET":
 84 |         if sessionCheck(loginCheck=True):
 85 |             return flask.redirect(flask.url_for("board"))
 86 |         
 87 |         return flask.render_template("register.html", msg="false")
 88 |     else:
 89 |         if sessionCheck():
 90 |             return flask.redirect(flask.url_for("board"))
 91 | 
 92 |         userid = flask.request.form["userid"] 
 93 |         userpw = flask.request.form["userpw"]
 94 |         
 95 |         if userid not in ids:
 96 |             ids[userid] = userpw
 97 |             return flask.render_template("login.html", msg="false")
 98 |         else:
 99 |             return flask.render_template("register.html", msg="already registered id")
100 | 
101 | @app.route("/logout")
102 | def logout():
103 |     flask.session.pop('isLogin', False)
104 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
105 |     resp.set_cookie('userid', expires=0)
106 |     return resp
107 | 
108 | 
109 | @app.route("/board", methods=["GET"])
110 | def board():
111 |     if not sessionCheck(loginCheck=True):
112 |         return flask.redirect(flask.url_for("login"))
113 |     results = []
114 |     for i in articles:
115 |         if i["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
116 |             results.append(i)
117 |     return flask.render_template("board.html", articles=results)
118 | 
119 | 
120 | @app.route("/board/<seq>")
121 | def viewboard(seq):
122 |     if not sessionCheck(loginCheck=True):
123 |         return flask.redirect(flask.url_for("login"))
124 | 
125 |     article = articles[int(seq)]
126 |     if article["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
127 |         return flask.render_template("view.html", articles=article)
128 |     else:
129 |         return "<script>alert('This is not your article');location.replace('/');</script>"
130 | 
131 | @app.route("/write", methods=["GET", "POST"])
132 | def write():
133 |     if not sessionCheck(loginCheck=True):
134 |         return flask.redirect(flask.url_for("login"))
135 | 
136 |     if flask.request.method == "GET":
137 |         return flask.render_template("write.html", loginid=flask.session["userid"])
138 | 
139 |     elif flask.request.method == "POST":
140 |         subject = flask.request.form["subject"]
141 |         author = flask.request.form["author"]
142 |         content = flask.request.form["content"]
143 |         
144 |         if not xsscheck(content):
145 |             req = {
146 |                 'seq':len(articles),
147 |                 'subject':subject,
148 |                 'author':flask.session['userid'],
149 |                 'content':content,
150 |             }
151 | 
152 |             articles.append(req)
153 | 
154 |             return flask.redirect(flask.url_for("board"))
155 |         else:
156 |             return '<script>alert("no hack");history.go(-1);</script>'
157 | 
158 | 
159 | @app.route("/report", methods=["GET", "POST"])
160 | def report():
161 |     if flask.request.method == "GET":
162 |         return '''
163 |         <form method="POST" action="/report">
164 |             <input type="text" name="url" placeholder="input url..." style="width:25%; height: 7%;">
165 |             <input type="submit" value="submit">
166 |         </form>
167 |         '''
168 |     elif flask.request.method == "POST":
169 |         url = flask.request.form['url']
170 |         requests.post(f"http://arang_client:9000/run", data=f"chal=xss2&url={url}", headers={"Content-Type":"application/x-www-form-urlencoded", "Content-Length":"1"})
171 |         return "<script>history.go(-1);</script>"
172 | 
173 | 
174 | if __name__ == "__main__":
175 |     try:
176 |         app.run(host="0.0.0.0", port=9002, debug=True)
177 |     except Exception as ex:
178 |         logging.info(str(ex))
179 |         pass
180 | 


--------------------------------------------------------------------------------
/app/challenges/xss3/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/challenges/xss3/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS3</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSS3</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in articles %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>            
51 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
52 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
53 |         </div>
54 |     	</center>
55 |     </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss3/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN-XSS3</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN-XSS3</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss3/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER-XSS3</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER-XSS3</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss3/templates/view.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS3</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 |   </head>
14 | 	<body>
15 | 	<section class="ftco-section">
16 | 		
17 | 		<div class="container" style="max-width: 100%;">
18 | 			<div class="row justify-content-center">
19 | 				<div class="col-md-6 text-center mb-5" >
20 | 					<h2 class="heading-section">Mini CTF BOARD-XSS3</h2>
21 | 				</div>
22 | 			</div>
23 | 			
24 | 			 <div class="container" class="row justify-content-center">
25 |             <hr/>
26 |             <div class="col-md-6 text-center mb-5" style="max-width: 100%;">
27 |                 <div>
28 |                     <table class="table table-condensed">
29 |                         <thead>
30 |                             <tr align="left">
31 |                                 <th width="15%">제목</th>
32 |                                 <th width="85%">{{articles['subject']}}</th>
33 |                             </tr>
34 |                         </thead>
35 |                         <tbody>
36 |                             <tr align="left">
37 |                                 <td>글쓴이
38 |                                 </td>
39 |                                 <td>
40 |                                 {{articles['author']}}
41 |                                 </td>
42 |                             </tr>
43 |                             <tr>
44 |                                 <td colspan="2" style="text-align: left;">
45 |                                     <!-- xss here! -->
46 |                                     <p>{{articles['content']|safe}}</p>
47 |                        
48 |                                 </td>
49 |                             </tr>
50 |                         </tbody>
51 |                     </table>
52 | 
53 |                     <table class="table table-condensed">
54 |                         <thead>
55 |                             <tr>
56 |                                 <td>
57 |                                     <span style='float:right'>
58 |                                         <button type="button" id="list" class="btn btn-default" onclick="location.replace('/board');">목록</button>
59 |                                         <button type="button" id="write" class="btn btn-default" onclick="location.replace('/write');">글쓰기</button>
60 |                                     </span>
61 |                                 </td>
62 |                             </tr>
63 |                         </thead>
64 |                     </table>
65 | 								</div>
66 |             </div>
67 |             <hr/>
68 |           </div>
69 |         </div>    
70 | 		</div>
71 | 		
72 | 	</section>
73 | 
74 | 	<script src="/static/js/jquery.min.js"></script>
75 |   <script src="/static/js/popper.js"></script>
76 |   <script src="/static/js/bootstrap.min.js"></script>
77 |   <script src="/static/js/main.js"></script>
78 | 
79 | 	</body>
80 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss3/templates/write.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD-XSS3</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_cancel(){
15 | 			location.replace(`/board`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">Mini CTF BOARD-XSS3</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 | 				 <form id="writeForm" name="writeForm" method="post" enctype="multipart/form-data">
30 | 				        <div>
31 | 				            <h2 class="text-center mb-4">글쓰기</h2>
32 | 				            <div>
33 | 				                <div class="mb-3">
34 | 				                  <label class="form-label">제목</label>
35 | 				                  <input class="form-control" type="text" id="subject" name="subject">
36 | 				                </div>
37 | 				                <div class="mb-3">
38 | 				                  <label class="form-label">작성자</label>
39 | 				                  <input class="form-control" type="text" id="author" name="author" value="{{loginid}}" readonly>
40 | 				                </div>
41 | 				                <div class="mb-3">
42 | 				                  <label class="form-label">내용</label>
43 | 				                  <textarea class="form-control" rows="10" cols="10" id="content" name="content"></textarea>
44 | 				                </div>
45 | 				                <div>
46 | 				                	<center>
47 | 				                    <input class="btn btn-success btn-lg" type="submit" value="글쓰기">
48 | 				              			<input class="btn btn-info btn-lg" onClick='fn_cancel()' value="목록">
49 | 				              		</center>
50 | 				                </div>
51 | 
52 | 				              
53 | 				            </div>
54 | 				        </div>
55 | 				    </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/challenges/xss3/xss3.py:
--------------------------------------------------------------------------------
  1 | #-*-coding:utf-8-*-
  2 | import flask
  3 | import os, pymysql, re, hashlib, time, base64, io, requests
  4 | import logging, traceback
  5 | logging.basicConfig(level=logging.INFO)
  6 | logging.getLogger('werkzeug').setLevel(level=logging.WARNING)
  7 | 
  8 | app = flask.Flask(__name__)
  9 | app.secret_key = os.urandom(16)
 10 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 11 | 
 12 | ids = {
 13 |     "admin":os.getenv("admin_password")
 14 | }
 15 | 
 16 | articles = [{
 17 |     "seq":0,
 18 |     "subject":"flag is here!",
 19 |     "author":"admin",
 20 |     "content": os.getenv("xss3_flag")
 21 | }]
 22 | 
 23 | def sessionCheck(loginCheck=False):   
 24 |     if loginCheck:
 25 |         if "isLogin" not in flask.session:
 26 |             return False
 27 |         else:
 28 |             return True
 29 | 
 30 |     if "isLogin" in flask.session:
 31 |         return True
 32 |     
 33 |     return False
 34 | 
 35 | def xsscheck(content):
 36 |     content = content.lower()
 37 |     vulns = ["javascript", "frame", "object", "on", "data", "base","\\u","alert","fetch","XMLHttpRequest","eval","constructor"]
 38 |     vulns += list("()'\"")
 39 |     for char in vulns:
 40 |         if char in content:
 41 |             return True
 42 | 
 43 |     return False
 44 | 
 45 | 
 46 | @app.route("/")
 47 | def index():
 48 |     if sessionCheck(loginCheck=True):
 49 |         return flask.redirect(flask.url_for("board"))
 50 | 
 51 |     return flask.redirect(flask.url_for("login"))
 52 | 
 53 | 
 54 | 
 55 | @app.route("/login", methods=["GET","POST"])
 56 | def login():
 57 |     if flask.request.method == "GET":
 58 |         if sessionCheck(loginCheck=True):
 59 |             return flask.redirect(flask.url_for("board"))
 60 |         
 61 |         return flask.render_template("login.html", msg="false")
 62 |     else:
 63 |         if sessionCheck():
 64 |             return flask.redirect(flask.url_for("board"))
 65 |         
 66 |         userid = flask.request.form["userid"]
 67 |         userpw = flask.request.form["userpw"]
 68 |         
 69 |         if userid in ids:
 70 |             if ids[userid] == userpw:
 71 |                 flask.session["userid"] = userid
 72 |                 flask.session["isLogin"] = True
 73 |                     
 74 |                 resp = flask.make_response(flask.redirect(flask.url_for("board")))
 75 |                 resp.set_cookie('userid', flask.session["userid"])
 76 |                 return resp
 77 |             else:
 78 |                 return flask.render_template("login.html", msg="login fail")
 79 |         else:
 80 |             return flask.render_template("login.html", msg="login fail")
 81 | 
 82 | 
 83 | @app.route("/register", methods=["GET","POST"])
 84 | def register():
 85 |     if flask.request.method == "GET":
 86 |         if sessionCheck(loginCheck=True):
 87 |             return flask.redirect(flask.url_for("board"))
 88 |         
 89 |         return flask.render_template("register.html", msg="false")
 90 |     else:
 91 |         if sessionCheck():
 92 |             return flask.redirect(flask.url_for("board"))
 93 | 
 94 |         userid = flask.request.form["userid"] 
 95 |         userpw = flask.request.form["userpw"]
 96 |         
 97 |         if userid not in ids:
 98 |             ids[userid] = userpw
 99 |             return flask.render_template("login.html", msg="false")
100 |         else:
101 |             return flask.render_template("register.html", msg="already registered id")
102 | 
103 | @app.route("/logout")
104 | def logout():
105 |     flask.session.pop('isLogin', False)
106 |     resp = flask.make_response(flask.redirect(flask.url_for("login")))
107 |     resp.set_cookie('userid', expires=0)
108 |     return resp
109 | 
110 | 
111 | @app.route("/board", methods=["GET"])
112 | def board():
113 |     if not sessionCheck(loginCheck=True):
114 |         return flask.redirect(flask.url_for("login"))
115 |     results = []
116 |     for i in articles:
117 |         if i["author"] == flask.session["userid"] or flask.session["userid"] == "admin" or i["author"] == "admin":
118 |             results.append(i)
119 |     return flask.render_template("board.html", articles=results)
120 | 
121 | 
122 | @app.route("/board/<seq>")
123 | def viewboard(seq):
124 |     if not sessionCheck(loginCheck=True):
125 |         return flask.redirect(flask.url_for("login"))
126 | 
127 |     article = articles[int(seq)]
128 |     if article["author"] == flask.session["userid"] or flask.session["userid"] == "admin":
129 |         return flask.render_template("view.html", articles=article)
130 |     else:
131 |         return "<script>alert('This is not your article');location.replace('/');</script>"
132 | 
133 | @app.route("/write", methods=["GET", "POST"])
134 | def write():
135 |     if not sessionCheck(loginCheck=True):
136 |         return flask.redirect(flask.url_for("login"))
137 | 
138 |     if flask.request.method == "GET":
139 |         return flask.render_template("write.html", loginid=flask.session["userid"])
140 | 
141 |     elif flask.request.method == "POST":
142 |         subject = flask.request.form["subject"]
143 |         author = flask.request.form["author"]
144 |         content = flask.request.form["content"]
145 |         
146 |         if not xsscheck(content):
147 |             req = {
148 |                 'seq':len(articles),
149 |                 'subject':subject,
150 |                 'author':flask.session['userid'],
151 |                 'content':content,
152 |             }
153 | 
154 |             articles.append(req)
155 | 
156 |             return flask.redirect(flask.url_for("board"))
157 |         else:
158 |             return '<script>alert("no hack");history.go(-1);</script>'
159 | 
160 | 
161 | @app.route("/report", methods=["GET", "POST"])
162 | def report():
163 |     if flask.request.method == "GET":
164 |         return '''
165 |         <form method="POST" action="/report">
166 |             <input type="text" name="url" placeholder="input url..." style="width:25%; height: 7%;">
167 |             <input type="submit" value="submit">
168 |         </form>
169 |         '''
170 |     elif flask.request.method == "POST":
171 |         url = flask.request.form['url']
172 |         requests.post(f"http://arang_client:9000/run", data=f"chal=xss3&url={url}", headers={"Content-Type":"application/x-www-form-urlencoded", "Content-Length":"1"})
173 |         return "<script>history.go(-1);</script>"
174 | 
175 | 
176 | if __name__ == "__main__":
177 |     try:
178 |         app.run(host="0.0.0.0", port=9003, debug=True)
179 |     except Exception as ex:
180 |         logging.info(str(ex))
181 |         pass
182 | 


--------------------------------------------------------------------------------
/app/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | python3 /app/app.py&
3 | python3 /app/bot/bot.py&
4 | python3 /app/challenges/xss1/xss1.py&
5 | python3 /app/challenges/xss2/xss2.py&
6 | python3 /app/challenges/xss3/xss3.py&
7 | python3 /app/challenges/csrf1/csrf1.py&
8 | python3 /app/challenges/csrf2/csrf2.py&
9 | python3 /app/challenges/xsleak/xsleak.py&


--------------------------------------------------------------------------------
/app/flags.json:
--------------------------------------------------------------------------------
 1 | {
 2 | 	"xss1":"flag{[REDACTED]}",
 3 | 	"xss2":"flag{[REDACTED]}",
 4 | 	"xss3":"flag{[REDACTED]}",
 5 | 	"dom clobbering":"flag{[REDACTED]}",
 6 | 	"csrf1":"flag{[REDACTED]}",
 7 | 	"csrf2":"flag{[REDACTED]}",
 8 | 	"xsleak":"flag{[REDACTED]}",
 9 | 	"sqli1":"flag{[REDACTED]}",
10 | 	"sqli2":"flag{[REDACTED]}",
11 | 	"sqli3":"flag{[REDACTED]}",
12 | 	"lfi1":"flag{[REDACTED]}",
13 | 	"lfi2":"flag{[REDACTED]}",
14 | 	"command injection":"flag{[REDACTED]}",
15 | 	"ssti":"flag{[REDACTED]}",
16 | 	"prototype pollution":"flag{[REDACTED]}"
17 | }


--------------------------------------------------------------------------------
/app/static/js/main.js:
--------------------------------------------------------------------------------
1 | (function($) {
2 | 
3 | 	"use strict";
4 | 
5 | 
6 | })(jQuery);
7 | 


--------------------------------------------------------------------------------
/app/static/js/popper.js:
--------------------------------------------------------------------------------
1 | /*
2 |  Copyright (C) Federico Zivolo 2019
3 |  Distributed under the MIT License (license terms are at http://opensource.org/licenses/MIT).
4 |  */(function(e,t){'object'==typeof exports&&'undefined'!=typeof module?module.exports=t():'function'==typeof define&&define.amd?define(t):e.Popper=t()})(this,function(){'use strict';function e(e){return e&&'[object Function]'==={}.toString.call(e)}function t(e,t){if(1!==e.nodeType)return[];var o=e.ownerDocument.defaultView,n=o.getComputedStyle(e,null);return t?n[t]:n}function o(e){return'HTML'===e.nodeName?e:e.parentNode||e.host}function n(e){if(!e)return document.body;switch(e.nodeName){case'HTML':case'BODY':return e.ownerDocument.body;case'#document':return e.body;}var i=t(e),r=i.overflow,p=i.overflowX,s=i.overflowY;return /(auto|scroll|overlay)/.test(r+s+p)?e:n(o(e))}function r(e){return 11===e?pe:10===e?se:pe||se}function p(e){if(!e)return document.documentElement;for(var o=r(10)?document.body:null,n=e.offsetParent||null;n===o&&e.nextElementSibling;)n=(e=e.nextElementSibling).offsetParent;var i=n&&n.nodeName;return i&&'BODY'!==i&&'HTML'!==i?-1!==['TH','TD','TABLE'].indexOf(n.nodeName)&&'static'===t(n,'position')?p(n):n:e?e.ownerDocument.documentElement:document.documentElement}function s(e){var t=e.nodeName;return'BODY'!==t&&('HTML'===t||p(e.firstElementChild)===e)}function d(e){return null===e.parentNode?e:d(e.parentNode)}function a(e,t){if(!e||!e.nodeType||!t||!t.nodeType)return document.documentElement;var o=e.compareDocumentPosition(t)&Node.DOCUMENT_POSITION_FOLLOWING,n=o?e:t,i=o?t:e,r=document.createRange();r.setStart(n,0),r.setEnd(i,0);var l=r.commonAncestorContainer;if(e!==l&&t!==l||n.contains(i))return s(l)?l:p(l);var f=d(e);return f.host?a(f.host,t):a(e,d(t).host)}function l(e){var t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:'top',o='top'===t?'scrollTop':'scrollLeft',n=e.nodeName;if('BODY'===n||'HTML'===n){var i=e.ownerDocument.documentElement,r=e.ownerDocument.scrollingElement||i;return r[o]}return e[o]}function f(e,t){var o=2<arguments.length&&void 0!==arguments[2]&&arguments[2],n=l(t,'top'),i=l(t,'left'),r=o?-1:1;return e.top+=n*r,e.bottom+=n*r,e.left+=i*r,e.right+=i*r,e}function m(e,t){var o='x'===t?'Left':'Top',n='Left'==o?'Right':'Bottom';return parseFloat(e['border'+o+'Width'],10)+parseFloat(e['border'+n+'Width'],10)}function h(e,t,o,n){return ee(t['offset'+e],t['scroll'+e],o['client'+e],o['offset'+e],o['scroll'+e],r(10)?parseInt(o['offset'+e])+parseInt(n['margin'+('Height'===e?'Top':'Left')])+parseInt(n['margin'+('Height'===e?'Bottom':'Right')]):0)}function c(e){var t=e.body,o=e.documentElement,n=r(10)&&getComputedStyle(o);return{height:h('Height',t,o,n),width:h('Width',t,o,n)}}function g(e){return fe({},e,{right:e.left+e.width,bottom:e.top+e.height})}function u(e){var o={};try{if(r(10)){o=e.getBoundingClientRect();var n=l(e,'top'),i=l(e,'left');o.top+=n,o.left+=i,o.bottom+=n,o.right+=i}else o=e.getBoundingClientRect()}catch(t){}var p={left:o.left,top:o.top,width:o.right-o.left,height:o.bottom-o.top},s='HTML'===e.nodeName?c(e.ownerDocument):{},d=s.width||e.clientWidth||p.right-p.left,a=s.height||e.clientHeight||p.bottom-p.top,f=e.offsetWidth-d,h=e.offsetHeight-a;if(f||h){var u=t(e);f-=m(u,'x'),h-=m(u,'y'),p.width-=f,p.height-=h}return g(p)}function b(e,o){var i=2<arguments.length&&void 0!==arguments[2]&&arguments[2],p=r(10),s='HTML'===o.nodeName,d=u(e),a=u(o),l=n(e),m=t(o),h=parseFloat(m.borderTopWidth,10),c=parseFloat(m.borderLeftWidth,10);i&&s&&(a.top=ee(a.top,0),a.left=ee(a.left,0));var b=g({top:d.top-a.top-h,left:d.left-a.left-c,width:d.width,height:d.height});if(b.marginTop=0,b.marginLeft=0,!p&&s){var w=parseFloat(m.marginTop,10),y=parseFloat(m.marginLeft,10);b.top-=h-w,b.bottom-=h-w,b.left-=c-y,b.right-=c-y,b.marginTop=w,b.marginLeft=y}return(p&&!i?o.contains(l):o===l&&'BODY'!==l.nodeName)&&(b=f(b,o)),b}function w(e){var t=1<arguments.length&&void 0!==arguments[1]&&arguments[1],o=e.ownerDocument.documentElement,n=b(e,o),i=ee(o.clientWidth,window.innerWidth||0),r=ee(o.clientHeight,window.innerHeight||0),p=t?0:l(o),s=t?0:l(o,'left'),d={top:p-n.top+n.marginTop,left:s-n.left+n.marginLeft,width:i,height:r};return g(d)}function y(e){var n=e.nodeName;if('BODY'===n||'HTML'===n)return!1;if('fixed'===t(e,'position'))return!0;var i=o(e);return!!i&&y(i)}function E(e){if(!e||!e.parentElement||r())return document.documentElement;for(var o=e.parentElement;o&&'none'===t(o,'transform');)o=o.parentElement;return o||document.documentElement}function v(e,t,i,r){var p=4<arguments.length&&void 0!==arguments[4]&&arguments[4],s={top:0,left:0},d=p?E(e):a(e,t);if('viewport'===r)s=w(d,p);else{var l;'scrollParent'===r?(l=n(o(t)),'BODY'===l.nodeName&&(l=e.ownerDocument.documentElement)):'window'===r?l=e.ownerDocument.documentElement:l=r;var f=b(l,d,p);if('HTML'===l.nodeName&&!y(d)){var m=c(e.ownerDocument),h=m.height,g=m.width;s.top+=f.top-f.marginTop,s.bottom=h+f.top,s.left+=f.left-f.marginLeft,s.right=g+f.left}else s=f}i=i||0;var u='number'==typeof i;return s.left+=u?i:i.left||0,s.top+=u?i:i.top||0,s.right-=u?i:i.right||0,s.bottom-=u?i:i.bottom||0,s}function x(e){var t=e.width,o=e.height;return t*o}function O(e,t,o,n,i){var r=5<arguments.length&&void 0!==arguments[5]?arguments[5]:0;if(-1===e.indexOf('auto'))return e;var p=v(o,n,r,i),s={top:{width:p.width,height:t.top-p.top},right:{width:p.right-t.right,height:p.height},bottom:{width:p.width,height:p.bottom-t.bottom},left:{width:t.left-p.left,height:p.height}},d=Object.keys(s).map(function(e){return fe({key:e},s[e],{area:x(s[e])})}).sort(function(e,t){return t.area-e.area}),a=d.filter(function(e){var t=e.width,n=e.height;return t>=o.clientWidth&&n>=o.clientHeight}),l=0<a.length?a[0].key:d[0].key,f=e.split('-')[1];return l+(f?'-'+f:'')}function L(e,t,o){var n=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null,i=n?E(t):a(t,o);return b(o,i,n)}function S(e){var t=e.ownerDocument.defaultView,o=t.getComputedStyle(e),n=parseFloat(o.marginTop||0)+parseFloat(o.marginBottom||0),i=parseFloat(o.marginLeft||0)+parseFloat(o.marginRight||0),r={width:e.offsetWidth+i,height:e.offsetHeight+n};return r}function T(e){var t={left:'right',right:'left',bottom:'top',top:'bottom'};return e.replace(/left|right|bottom|top/g,function(e){return t[e]})}function D(e,t,o){o=o.split('-')[0];var n=S(e),i={width:n.width,height:n.height},r=-1!==['right','left'].indexOf(o),p=r?'top':'left',s=r?'left':'top',d=r?'height':'width',a=r?'width':'height';return i[p]=t[p]+t[d]/2-n[d]/2,i[s]=o===s?t[s]-n[a]:t[T(s)],i}function C(e,t){return Array.prototype.find?e.find(t):e.filter(t)[0]}function N(e,t,o){if(Array.prototype.findIndex)return e.findIndex(function(e){return e[t]===o});var n=C(e,function(e){return e[t]===o});return e.indexOf(n)}function P(t,o,n){var i=void 0===n?t:t.slice(0,N(t,'name',n));return i.forEach(function(t){t['function']&&console.warn('`modifier.function` is deprecated, use `modifier.fn`!');var n=t['function']||t.fn;t.enabled&&e(n)&&(o.offsets.popper=g(o.offsets.popper),o.offsets.reference=g(o.offsets.reference),o=n(o,t))}),o}function k(){if(!this.state.isDestroyed){var e={instance:this,styles:{},arrowStyles:{},attributes:{},flipped:!1,offsets:{}};e.offsets.reference=L(this.state,this.popper,this.reference,this.options.positionFixed),e.placement=O(this.options.placement,e.offsets.reference,this.popper,this.reference,this.options.modifiers.flip.boundariesElement,this.options.modifiers.flip.padding),e.originalPlacement=e.placement,e.positionFixed=this.options.positionFixed,e.offsets.popper=D(this.popper,e.offsets.reference,e.placement),e.offsets.popper.position=this.options.positionFixed?'fixed':'absolute',e=P(this.modifiers,e),this.state.isCreated?this.options.onUpdate(e):(this.state.isCreated=!0,this.options.onCreate(e))}}function W(e,t){return e.some(function(e){var o=e.name,n=e.enabled;return n&&o===t})}function H(e){for(var t=[!1,'ms','Webkit','Moz','O'],o=e.charAt(0).toUpperCase()+e.slice(1),n=0;n<t.length;n++){var i=t[n],r=i?''+i+o:e;if('undefined'!=typeof document.body.style[r])return r}return null}function B(){return this.state.isDestroyed=!0,W(this.modifiers,'applyStyle')&&(this.popper.removeAttribute('x-placement'),this.popper.style.position='',this.popper.style.top='',this.popper.style.left='',this.popper.style.right='',this.popper.style.bottom='',this.popper.style.willChange='',this.popper.style[H('transform')]=''),this.disableEventListeners(),this.options.removeOnDestroy&&this.popper.parentNode.removeChild(this.popper),this}function A(e){var t=e.ownerDocument;return t?t.defaultView:window}function M(e,t,o,i){var r='BODY'===e.nodeName,p=r?e.ownerDocument.defaultView:e;p.addEventListener(t,o,{passive:!0}),r||M(n(p.parentNode),t,o,i),i.push(p)}function F(e,t,o,i){o.updateBound=i,A(e).addEventListener('resize',o.updateBound,{passive:!0});var r=n(e);return M(r,'scroll',o.updateBound,o.scrollParents),o.scrollElement=r,o.eventsEnabled=!0,o}function I(){this.state.eventsEnabled||(this.state=F(this.reference,this.options,this.state,this.scheduleUpdate))}function R(e,t){return A(e).removeEventListener('resize',t.updateBound),t.scrollParents.forEach(function(e){e.removeEventListener('scroll',t.updateBound)}),t.updateBound=null,t.scrollParents=[],t.scrollElement=null,t.eventsEnabled=!1,t}function U(){this.state.eventsEnabled&&(cancelAnimationFrame(this.scheduleUpdate),this.state=R(this.reference,this.state))}function Y(e){return''!==e&&!isNaN(parseFloat(e))&&isFinite(e)}function j(e,t){Object.keys(t).forEach(function(o){var n='';-1!==['width','height','top','right','bottom','left'].indexOf(o)&&Y(t[o])&&(n='px'),e.style[o]=t[o]+n})}function V(e,t){Object.keys(t).forEach(function(o){var n=t[o];!1===n?e.removeAttribute(o):e.setAttribute(o,t[o])})}function q(e,t){var o=e.offsets,n=o.popper,i=o.reference,r=$,p=function(e){return e},s=r(i.width),d=r(n.width),a=-1!==['left','right'].indexOf(e.placement),l=-1!==e.placement.indexOf('-'),f=t?a||l||s%2==d%2?r:Z:p,m=t?r:p;return{left:f(1==s%2&&1==d%2&&!l&&t?n.left-1:n.left),top:m(n.top),bottom:m(n.bottom),right:f(n.right)}}function K(e,t,o){var n=C(e,function(e){var o=e.name;return o===t}),i=!!n&&e.some(function(e){return e.name===o&&e.enabled&&e.order<n.order});if(!i){var r='`'+t+'`';console.warn('`'+o+'`'+' modifier is required by '+r+' modifier in order to work, be sure to include it before '+r+'!')}return i}function z(e){return'end'===e?'start':'start'===e?'end':e}function G(e){var t=1<arguments.length&&void 0!==arguments[1]&&arguments[1],o=ce.indexOf(e),n=ce.slice(o+1).concat(ce.slice(0,o));return t?n.reverse():n}function _(e,t,o,n){var i=e.match(/((?:\-|\+)?\d*\.?\d*)(.*)/),r=+i[1],p=i[2];if(!r)return e;if(0===p.indexOf('%')){var s;switch(p){case'%p':s=o;break;case'%':case'%r':default:s=n;}var d=g(s);return d[t]/100*r}if('vh'===p||'vw'===p){var a;return a='vh'===p?ee(document.documentElement.clientHeight,window.innerHeight||0):ee(document.documentElement.clientWidth,window.innerWidth||0),a/100*r}return r}function X(e,t,o,n){var i=[0,0],r=-1!==['right','left'].indexOf(n),p=e.split(/(\+|\-)/).map(function(e){return e.trim()}),s=p.indexOf(C(p,function(e){return-1!==e.search(/,|\s/)}));p[s]&&-1===p[s].indexOf(',')&&console.warn('Offsets separated by white space(s) are deprecated, use a comma (,) instead.');var d=/\s*,\s*|\s+/,a=-1===s?[p]:[p.slice(0,s).concat([p[s].split(d)[0]]),[p[s].split(d)[1]].concat(p.slice(s+1))];return a=a.map(function(e,n){var i=(1===n?!r:r)?'height':'width',p=!1;return e.reduce(function(e,t){return''===e[e.length-1]&&-1!==['+','-'].indexOf(t)?(e[e.length-1]=t,p=!0,e):p?(e[e.length-1]+=t,p=!1,e):e.concat(t)},[]).map(function(e){return _(e,i,t,o)})}),a.forEach(function(e,t){e.forEach(function(o,n){Y(o)&&(i[t]+=o*('-'===e[n-1]?-1:1))})}),i}function J(e,t){var o,n=t.offset,i=e.placement,r=e.offsets,p=r.popper,s=r.reference,d=i.split('-')[0];return o=Y(+n)?[+n,0]:X(n,p,s,d),'left'===d?(p.top+=o[0],p.left-=o[1]):'right'===d?(p.top+=o[0],p.left+=o[1]):'top'===d?(p.left+=o[0],p.top-=o[1]):'bottom'===d&&(p.left+=o[0],p.top+=o[1]),e.popper=p,e}for(var Q=Math.min,Z=Math.floor,$=Math.round,ee=Math.max,te='undefined'!=typeof window&&'undefined'!=typeof document,oe=['Edge','Trident','Firefox'],ne=0,ie=0;ie<oe.length;ie+=1)if(te&&0<=navigator.userAgent.indexOf(oe[ie])){ne=1;break}var i=te&&window.Promise,re=i?function(e){var t=!1;return function(){t||(t=!0,window.Promise.resolve().then(function(){t=!1,e()}))}}:function(e){var t=!1;return function(){t||(t=!0,setTimeout(function(){t=!1,e()},ne))}},pe=te&&!!(window.MSInputMethodContext&&document.documentMode),se=te&&/MSIE 10/.test(navigator.userAgent),de=function(e,t){if(!(e instanceof t))throw new TypeError('Cannot call a class as a function')},ae=function(){function e(e,t){for(var o,n=0;n<t.length;n++)o=t[n],o.enumerable=o.enumerable||!1,o.configurable=!0,'value'in o&&(o.writable=!0),Object.defineProperty(e,o.key,o)}return function(t,o,n){return o&&e(t.prototype,o),n&&e(t,n),t}}(),le=function(e,t,o){return t in e?Object.defineProperty(e,t,{value:o,enumerable:!0,configurable:!0,writable:!0}):e[t]=o,e},fe=Object.assign||function(e){for(var t,o=1;o<arguments.length;o++)for(var n in t=arguments[o],t)Object.prototype.hasOwnProperty.call(t,n)&&(e[n]=t[n]);return e},me=te&&/Firefox/i.test(navigator.userAgent),he=['auto-start','auto','auto-end','top-start','top','top-end','right-start','right','right-end','bottom-end','bottom','bottom-start','left-end','left','left-start'],ce=he.slice(3),ge={FLIP:'flip',CLOCKWISE:'clockwise',COUNTERCLOCKWISE:'counterclockwise'},ue=function(){function t(o,n){var i=this,r=2<arguments.length&&void 0!==arguments[2]?arguments[2]:{};de(this,t),this.scheduleUpdate=function(){return requestAnimationFrame(i.update)},this.update=re(this.update.bind(this)),this.options=fe({},t.Defaults,r),this.state={isDestroyed:!1,isCreated:!1,scrollParents:[]},this.reference=o&&o.jquery?o[0]:o,this.popper=n&&n.jquery?n[0]:n,this.options.modifiers={},Object.keys(fe({},t.Defaults.modifiers,r.modifiers)).forEach(function(e){i.options.modifiers[e]=fe({},t.Defaults.modifiers[e]||{},r.modifiers?r.modifiers[e]:{})}),this.modifiers=Object.keys(this.options.modifiers).map(function(e){return fe({name:e},i.options.modifiers[e])}).sort(function(e,t){return e.order-t.order}),this.modifiers.forEach(function(t){t.enabled&&e(t.onLoad)&&t.onLoad(i.reference,i.popper,i.options,t,i.state)}),this.update();var p=this.options.eventsEnabled;p&&this.enableEventListeners(),this.state.eventsEnabled=p}return ae(t,[{key:'update',value:function(){return k.call(this)}},{key:'destroy',value:function(){return B.call(this)}},{key:'enableEventListeners',value:function(){return I.call(this)}},{key:'disableEventListeners',value:function(){return U.call(this)}}]),t}();return ue.Utils=('undefined'==typeof window?global:window).PopperUtils,ue.placements=he,ue.Defaults={placement:'bottom',positionFixed:!1,eventsEnabled:!0,removeOnDestroy:!1,onCreate:function(){},onUpdate:function(){},modifiers:{shift:{order:100,enabled:!0,fn:function(e){var t=e.placement,o=t.split('-')[0],n=t.split('-')[1];if(n){var i=e.offsets,r=i.reference,p=i.popper,s=-1!==['bottom','top'].indexOf(o),d=s?'left':'top',a=s?'width':'height',l={start:le({},d,r[d]),end:le({},d,r[d]+r[a]-p[a])};e.offsets.popper=fe({},p,l[n])}return e}},offset:{order:200,enabled:!0,fn:J,offset:0},preventOverflow:{order:300,enabled:!0,fn:function(e,t){var o=t.boundariesElement||p(e.instance.popper);e.instance.reference===o&&(o=p(o));var n=H('transform'),i=e.instance.popper.style,r=i.top,s=i.left,d=i[n];i.top='',i.left='',i[n]='';var a=v(e.instance.popper,e.instance.reference,t.padding,o,e.positionFixed);i.top=r,i.left=s,i[n]=d,t.boundaries=a;var l=t.priority,f=e.offsets.popper,m={primary:function(e){var o=f[e];return f[e]<a[e]&&!t.escapeWithReference&&(o=ee(f[e],a[e])),le({},e,o)},secondary:function(e){var o='right'===e?'left':'top',n=f[o];return f[e]>a[e]&&!t.escapeWithReference&&(n=Q(f[o],a[e]-('right'===e?f.width:f.height))),le({},o,n)}};return l.forEach(function(e){var t=-1===['left','top'].indexOf(e)?'secondary':'primary';f=fe({},f,m[t](e))}),e.offsets.popper=f,e},priority:['left','right','top','bottom'],padding:5,boundariesElement:'scrollParent'},keepTogether:{order:400,enabled:!0,fn:function(e){var t=e.offsets,o=t.popper,n=t.reference,i=e.placement.split('-')[0],r=Z,p=-1!==['top','bottom'].indexOf(i),s=p?'right':'bottom',d=p?'left':'top',a=p?'width':'height';return o[s]<r(n[d])&&(e.offsets.popper[d]=r(n[d])-o[a]),o[d]>r(n[s])&&(e.offsets.popper[d]=r(n[s])),e}},arrow:{order:500,enabled:!0,fn:function(e,o){var n;if(!K(e.instance.modifiers,'arrow','keepTogether'))return e;var i=o.element;if('string'==typeof i){if(i=e.instance.popper.querySelector(i),!i)return e;}else if(!e.instance.popper.contains(i))return console.warn('WARNING: `arrow.element` must be child of its popper element!'),e;var r=e.placement.split('-')[0],p=e.offsets,s=p.popper,d=p.reference,a=-1!==['left','right'].indexOf(r),l=a?'height':'width',f=a?'Top':'Left',m=f.toLowerCase(),h=a?'left':'top',c=a?'bottom':'right',u=S(i)[l];d[c]-u<s[m]&&(e.offsets.popper[m]-=s[m]-(d[c]-u)),d[m]+u>s[c]&&(e.offsets.popper[m]+=d[m]+u-s[c]),e.offsets.popper=g(e.offsets.popper);var b=d[m]+d[l]/2-u/2,w=t(e.instance.popper),y=parseFloat(w['margin'+f],10),E=parseFloat(w['border'+f+'Width'],10),v=b-e.offsets.popper[m]-y-E;return v=ee(Q(s[l]-u,v),0),e.arrowElement=i,e.offsets.arrow=(n={},le(n,m,$(v)),le(n,h,''),n),e},element:'[x-arrow]'},flip:{order:600,enabled:!0,fn:function(e,t){if(W(e.instance.modifiers,'inner'))return e;if(e.flipped&&e.placement===e.originalPlacement)return e;var o=v(e.instance.popper,e.instance.reference,t.padding,t.boundariesElement,e.positionFixed),n=e.placement.split('-')[0],i=T(n),r=e.placement.split('-')[1]||'',p=[];switch(t.behavior){case ge.FLIP:p=[n,i];break;case ge.CLOCKWISE:p=G(n);break;case ge.COUNTERCLOCKWISE:p=G(n,!0);break;default:p=t.behavior;}return p.forEach(function(s,d){if(n!==s||p.length===d+1)return e;n=e.placement.split('-')[0],i=T(n);var a=e.offsets.popper,l=e.offsets.reference,f=Z,m='left'===n&&f(a.right)>f(l.left)||'right'===n&&f(a.left)<f(l.right)||'top'===n&&f(a.bottom)>f(l.top)||'bottom'===n&&f(a.top)<f(l.bottom),h=f(a.left)<f(o.left),c=f(a.right)>f(o.right),g=f(a.top)<f(o.top),u=f(a.bottom)>f(o.bottom),b='left'===n&&h||'right'===n&&c||'top'===n&&g||'bottom'===n&&u,w=-1!==['top','bottom'].indexOf(n),y=!!t.flipVariations&&(w&&'start'===r&&h||w&&'end'===r&&c||!w&&'start'===r&&g||!w&&'end'===r&&u);(m||b||y)&&(e.flipped=!0,(m||b)&&(n=p[d+1]),y&&(r=z(r)),e.placement=n+(r?'-'+r:''),e.offsets.popper=fe({},e.offsets.popper,D(e.instance.popper,e.offsets.reference,e.placement)),e=P(e.instance.modifiers,e,'flip'))}),e},behavior:'flip',padding:5,boundariesElement:'viewport'},inner:{order:700,enabled:!1,fn:function(e){var t=e.placement,o=t.split('-')[0],n=e.offsets,i=n.popper,r=n.reference,p=-1!==['left','right'].indexOf(o),s=-1===['top','left'].indexOf(o);return i[p?'left':'top']=r[o]-(s?i[p?'width':'height']:0),e.placement=T(t),e.offsets.popper=g(i),e}},hide:{order:800,enabled:!0,fn:function(e){if(!K(e.instance.modifiers,'hide','preventOverflow'))return e;var t=e.offsets.reference,o=C(e.instance.modifiers,function(e){return'preventOverflow'===e.name}).boundaries;if(t.bottom<o.top||t.left>o.right||t.top>o.bottom||t.right<o.left){if(!0===e.hide)return e;e.hide=!0,e.attributes['x-out-of-boundaries']=''}else{if(!1===e.hide)return e;e.hide=!1,e.attributes['x-out-of-boundaries']=!1}return e}},computeStyle:{order:850,enabled:!0,fn:function(e,t){var o=t.x,n=t.y,i=e.offsets.popper,r=C(e.instance.modifiers,function(e){return'applyStyle'===e.name}).gpuAcceleration;void 0!==r&&console.warn('WARNING: `gpuAcceleration` option moved to `computeStyle` modifier and will not be supported in future versions of Popper.js!');var s,d,a=void 0===r?t.gpuAcceleration:r,l=p(e.instance.popper),f=u(l),m={position:i.position},h=q(e,2>window.devicePixelRatio||!me),c='bottom'===o?'top':'bottom',g='right'===n?'left':'right',b=H('transform');if(d='bottom'==c?'HTML'===l.nodeName?-l.clientHeight+h.bottom:-f.height+h.bottom:h.top,s='right'==g?'HTML'===l.nodeName?-l.clientWidth+h.right:-f.width+h.right:h.left,a&&b)m[b]='translate3d('+s+'px, '+d+'px, 0)',m[c]=0,m[g]=0,m.willChange='transform';else{var w='bottom'==c?-1:1,y='right'==g?-1:1;m[c]=d*w,m[g]=s*y,m.willChange=c+', '+g}var E={"x-placement":e.placement};return e.attributes=fe({},E,e.attributes),e.styles=fe({},m,e.styles),e.arrowStyles=fe({},e.offsets.arrow,e.arrowStyles),e},gpuAcceleration:!0,x:'bottom',y:'right'},applyStyle:{order:900,enabled:!0,fn:function(e){return j(e.instance.popper,e.styles),V(e.instance.popper,e.attributes),e.arrowElement&&Object.keys(e.arrowStyles).length&&j(e.arrowElement,e.arrowStyles),e},onLoad:function(e,t,o,n,i){var r=L(i,t,e,o.positionFixed),p=O(o.placement,r,t,e,o.modifiers.flip.boundariesElement,o.modifiers.flip.padding);return t.setAttribute('x-placement',p),j(t,{position:o.positionFixed?'fixed':'absolute'}),o},gpuAcceleration:void 0}}},ue});
5 | //# sourceMappingURL=popper.min.js.map


--------------------------------------------------------------------------------
/app/templates/board.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF BOARD</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		function fn_view(seq){
15 | 			location.replace(`/board/${seq}`);
16 | 		}
17 | 	</script>
18 | 	</head>
19 | 	<body>
20 | 	<section class="ftco-section">
21 | 		<div class="container" style="max-width: 100%;">
22 | 			<div class="row justify-content-center">
23 | 				<div class="col-md-6 text-center mb-5">
24 | 					<h2 class="heading-section">WHS1 Mini CTF BOARD</h2>
25 | 				</div>
26 | 			</div>
27 | 			<div class="row justify-content-center">
28 | 				<div class="container">
29 |     <form id="boardForm" name="boardForm" method="post">
30 |         <table class="table table-striped table-hover">
31 |             <thead>
32 |                 <tr>
33 |                     <th>번호</th>
34 |                     <th>제목</th>
35 |                     <th>작성자</th>
36 |                 </tr>
37 |             </thead>
38 |             <tbody>
39 |                 {% for i in results %}
40 |                     <tr>
41 |                         <td>{{i['seq']}}</td>
42 |                         <td><a href='#' onClick='fn_view({{i["seq"]}})' id="article-{{i['seq']}}">{{i['subject']}}</a></td>
43 |                         <td>{{i['author']}}</td>
44 |                     </tr>
45 |                 {% endfor %}
46 |             </tbody>
47 |         </table>
48 |         <center>
49 |         <div>            
50 |             <a href='#' onClick='location.replace("/write");' class="btn btn-success">글쓰기</a>            
51 |             <a href='#' onClick='location.replace("/report")' class="btn btn-warning">관리자에게 글 읽기 요청</a>    
52 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
53 |         </div>
54 |     	</center>
55 |     </form>
56 | </div>
57 | 			</div>
58 | 		</div>
59 | 	</section>
60 | 
61 | 	<script src="/static/js/jquery.min.js"></script>
62 |   <script src="/static/js/popper.js"></script>
63 |   <script src="/static/js/bootstrap.min.js"></script>
64 |   <script src="/static/js/main.js"></script>
65 | 
66 | 	</body>
67 | </html>


--------------------------------------------------------------------------------
/app/templates/login.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF LOGIN</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">LOGIN</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Sign In</h3>
35 | 						<form id="form1" method="POST" action="/login" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" id="userid" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" id="userpw" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3" id="submit-login">Login</button>
44 | 	            </div>
45 | 	            <div class="form-group d-md-flex">
46 | 	            	<div class="w-50">
47 | 								</div>
48 | 								<div class="w-50 text-md-right">
49 | 									<a href="/register">Register</a>
50 | 								</div>
51 | 	            </div>
52 | 	          </form>
53 | 	        </div>
54 | 				</div>
55 | 			</div>
56 | 		</div>
57 | 	</section>
58 | 
59 | 	<script src="/static/js/jquery.min.js"></script>
60 |   <script src="/static/js/popper.js"></script>
61 |   <script src="/static/js/bootstrap.min.js"></script>
62 |   <script src="/static/js/main.js"></script>
63 | 
64 | 	</body>
65 | </html>


--------------------------------------------------------------------------------
/app/templates/main.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 |         function change_link(){
15 |             for(var i=0; i<100; i++){
16 |                 atag = document.getElementById(`link${i+1}`);
17 |                 if(atag){
18 |                     atag.href = atag.href.replace("arang_client", document.domain);
19 |                     atag.text = atag.text.replace("arang_client", document.domain);
20 |                 } else{
21 |                     break;
22 |                 }
23 |             }
24 |         }
25 |     </script>
26 | 	</head>
27 | 	<body onload=change_link()>
28 | 	<section class="ftco-section">
29 | 		<div class="container" style="max-width: 100%;">
30 | 			<div class="row justify-content-center">
31 | 				<div class="col-md-6 text-center mb-5">
32 | 					<h2 class="heading-section">Mini CTF</h2>
33 | 				</div>
34 | 			</div>
35 | 			<div class="row justify-content-center">
36 | 				<div class="container">
37 |     <form id="boardForm" name="boardForm" method="post">
38 |         <table class="table table-striped table-hover">
39 |             <thead>
40 |                 <tr>
41 |                     <th>번호</th>
42 |                     <th>문제</th>
43 |                     <th>링크</th>
44 |                     <th><center>풀이여부</center></th>
45 |                 </tr>
46 |             </thead>
47 |             <tbody>
48 |                 {% for i in c %}
49 |                     <tr>
50 |                         <td>{{i['seq']}}</td>
51 |                         <td>{{i['challenge']}}</td>
52 |                         <td><a id="link{{i['seq']}}" href="{{i['link']}}">{{i['link']}}</a></td>
53 |                         {% if i['solved'] == True %}
54 |                         <td><center>✅</center></td>
55 |                         {% else %}
56 |                         <td><center>❌</center></td>
57 |                         {% endif %}
58 |                     </tr>
59 |                 {% endfor %}
60 |             </tbody>
61 |         </table>
62 |         <center>
63 |         <div>
64 |             <a href='#' onClick='location.replace("/checkflag")' class="btn btn-danger">플래그제출</a>            
65 |             <a href='#' onClick='location.replace("/ranking")' class="btn btn-warning">랭킹</a>      
66 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
67 |         </div>
68 |     	</center>
69 |         </form>
70 |     </div>
71 | 			</div>
72 | 		</div>
73 | 	</section>
74 | 
75 | 	<script src="/static/js/jquery.min.js"></script>
76 |   <script src="/static/js/popper.js"></script>
77 |   <script src="/static/js/bootstrap.min.js"></script>
78 |   <script src="/static/js/main.js"></script>
79 | 
80 | 	</body>
81 | </html>


--------------------------------------------------------------------------------
/app/templates/ranking.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 
14 | 	</head>
15 | 	<body onload=change_link()>
16 | 	<section class="ftco-section">
17 | 		<div class="container" style="max-width: 100%;">
18 | 			<div class="row justify-content-center">
19 | 				<div class="col-md-6 text-center mb-5">
20 | 					<h2 class="heading-section">Mini CTF</h2>
21 | 				</div>
22 | 			</div>
23 | 			<div class="row justify-content-center">
24 | 				<div class="container">
25 |     <form id="boardForm" name="boardForm" method="post">
26 |         <table class="table table-striped table-hover">
27 |             <thead>
28 |                 <tr>
29 |                     <th>순위</th>
30 |                     <th>아이디</th>
31 |                     <th>푼 문제</th>
32 |                 </tr>
33 |             </thead>
34 |             <tbody>
35 |                 {% for item in ids %}
36 |                     <tr>
37 |                         <td>{{ loop.index }}</td>
38 |                         <td>{{ item.keys()|first }}</td>
39 |                         <td>{{ (item.values()|first)['solved']|join(', ') }}</td>
40 |                     </tr>
41 |                 {% endfor %}
42 |             </tbody>
43 |         </table>
44 |         <center>
45 |         <div>
46 |             <a href='#' onClick='location.replace("/main")' class="btn btn-danger">메인</a>
47 |             <a href='#' onClick='location.replace("/logout")' class="btn btn-info">로그아웃</a>            
48 |         </div>
49 |     	</center>
50 |         </form>
51 |     </div>
52 | 			</div>
53 | 		</div>
54 | 	</section>
55 | 
56 | 	<script src="/static/js/jquery.min.js"></script>
57 |   <script src="/static/js/popper.js"></script>
58 |   <script src="/static/js/bootstrap.min.js"></script>
59 |   <script src="/static/js/main.js"></script>
60 | 
61 | 	</body>
62 | </html>


--------------------------------------------------------------------------------
/app/templates/register.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |   	<title>Mini CTF REGISTER</title>
 5 |     <meta charset="utf-8">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 7 | 
 8 | 	<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap" rel="stylesheet">
 9 | 
10 | 	<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
11 | 	
12 | 	<link rel="stylesheet" href="/static/css/style.css">
13 | 	<script>
14 | 		var msg = '{{ msg }}';
15 | 		if (msg != "false"){
16 | 			alert(msg);
17 | 		} 
18 | 	</script>
19 | 	</head>
20 | 	<body>
21 | 	<section class="ftco-section">
22 | 		<div class="container">
23 | 			<div class="row justify-content-center">
24 | 				<div class="col-md-6 text-center mb-5">
25 | 					<h2 class="heading-section">Mini CTF REGISTER</h2>
26 | 				</div>
27 | 			</div>
28 | 			<div class="row justify-content-center">
29 | 				<div class="col-md-7 col-lg-5">
30 | 					<div class="login-wrap p-4 p-md-5">
31 | 		      	<div class="icon d-flex align-items-center justify-content-center">
32 | 		      		<span class="fa fa-user-o"></span>
33 | 		      	</div>
34 | 		      	<h3 class="text-center mb-4">Register</h3>
35 | 				<form id="form1" method="POST" action="/register" enctype="multipart/form-data" class="login-form">
36 | 		      		<div class="form-group">
37 | 		      			<input type="text" class="form-control rounded-left" id="userid" name="userid" placeholder="Username" required>
38 | 		      		</div>
39 | 	            <div class="form-group d-flex">
40 | 	              <input type="password" class="form-control rounded-left" id="userpw" name="userpw" placeholder="Password" required>
41 | 	            </div>
42 | 	            <div class="form-group">
43 | 	            	<button type="submit" class="form-control btn btn-primary rounded submit px-3">Register</button>
44 | 	            </div>
45 | 	          </form>
46 | 	        </div>
47 | 				</div>
48 | 			</div>
49 | 		</div>
50 | 	</section>
51 | 
52 | 	<script src="/static/js/jquery.min.js"></script>
53 |   <script src="/static/js/popper.js"></script>
54 |   <script src="/static/js/bootstrap.min.js"></script>
55 |   <script src="/static/js/main.js"></script>
56 | 
57 | 	</body>
58 | </html>


--------------------------------------------------------------------------------
/app/users.json:
--------------------------------------------------------------------------------
1 | {
2 |     "arang": {
3 |         "password": "123123",
4 |         "solved": [],
5 |         "lastsolved": 1797214493
6 |     }
7 | }


--------------------------------------------------------------------------------
/app2/000-default.conf:
--------------------------------------------------------------------------------
 1 | <VirtualHost *:9200>
 2 |         # The ServerName directive sets the request scheme, hostname and port that
 3 |         # the server uses to identify itself. This is used when creating
 4 |         # redirection URLs. In the context of virtual hosts, the ServerName
 5 |         # specifies what hostname must appear in the request's Host: header to
 6 |         # match this virtual host. For the default virtual host (this file) this
 7 |         # value is not decisive as it is used as a last resort host regardless.
 8 |         # However, you must set it for any further virtual host explicitly.
 9 |         #ServerName www.example.com
10 | 
11 |         ServerAdmin webmaster@localhost
12 |         DocumentRoot /var/www/html
13 |         
14 |         # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
15 |         # error, crit, alert, emerg.
16 |         # It is also possible to configure the loglevel for particular
17 |         # modules, e.g.
18 |         #LogLevel info ssl:warn
19 | 
20 |         ErrorLog ${APACHE_LOG_DIR}/error.log
21 |         CustomLog ${APACHE_LOG_DIR}/access.log combined
22 | 
23 |         # For most configuration files from conf-available/, which are
24 |         # enabled or disabled at a global level, it is possible to
25 |         # include a line for only one particular virtual host. For example the
26 |         # following line enables the CGI configuration for this host only
27 |         # after it has been globally disabled with "a2disconf".
28 |         #Include conf-available/serve-cgi-bin.conf
29 | </VirtualHost>
30 | 
31 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet


--------------------------------------------------------------------------------
/app2/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | service apache2 start
3 | 


--------------------------------------------------------------------------------
/app2/html/dbconn.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $host = "db";
 3 | $database = "fsi";
 4 | 
 5 | $sqli1_username = "sqli1";
 6 | $sqli1_password = "th1s_1s_user_p4ssw0rd";
 7 | 
 8 | $sqli2_username = "sqli2";
 9 | $sqli2_password = "th1s_1s_user_p4ssw0rd";
10 | 
11 | $sqli3_username = "sqli3";
12 | $sqli3_password = "th1s_1s_user_p4ssw0rd";
13 | 


--------------------------------------------------------------------------------
/app2/html/domclobbering.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if(isset($_POST["url"])){
 3 |   $url = "http://arang_client:9000/run";
 4 |   $data = "url=$_POST[url]";
 5 | 
 6 |   $ch = curl_init();
 7 |   curl_setopt($ch, CURLOPT_URL,$url);
 8 |   curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 9 |   curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 60);
10 |   curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
11 |   curl_setopt($ch, CURLOPT_POST, true);
12 | 
13 |   $response = curl_exec($ch);
14 |   echo $response;
15 |   curl_close($ch);
16 | } else {
17 |   function waf($input){
18 |     $t = strtolower($input);
19 |     if(preg_match("/script|on|frame|object|embed|data|&#|src|\/\/|'|\"|`|\*/",$t)){
20 |       return "";
21 |     } else {
22 |       return $input;
23 |     }
24 |   }
25 | ?>
26 | <html>
27 | <head>
28 | <title>Dom Clobbering Simple Chall!</title>
29 | <script>
30 | window.onload = ()=>{
31 |   if(!window.CLOB){
32 |     CLOB = {
33 |       isAdmin: false
34 |     }
35 |   }
36 |   
37 |   if(CLOB.isAdmin){
38 |     params = new URLSearchParams(location.search);
39 |     eval(params.get("c"));
40 |   }
41 | }
42 | </script>
43 | </head>
44 | <body>
45 | <form id="form" method="POST" action="/domclobbering.php">
46 |   <input type="text" hint="input url to bot visit" name="url">
47 |   <input type="submit" value="submit">
48 | </form>
49 | <?php
50 | if(isset($_GET["c"])){
51 |   echo waf($_GET["c"]);
52 | }else{
53 |   echo "Hello!";
54 | }
55 | ?>
56 | <br><br>
57 | <div id='flag'>
58 | <?php
59 | $flag = file_get_contents("/domclobbering_flag.txt");
60 | if($_SERVER['REMOTE_ADDR']==gethostbyname('arang_client')){
61 |   echo $flag;
62 | }
63 | ?>
64 | </div>
65 | </body>
66 | </html>
67 | <?php highlight_file(__FILE__); } ?>
68 | 
69 | 


--------------------------------------------------------------------------------
/app2/html/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | echo 1234;
3 | ?>


--------------------------------------------------------------------------------
/app2/html/prototype_pollution.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if(isset($_POST["url"])){
 3 |   $url = "http://arang_client:9000/run";
 4 |   $data = "url=$_POST[url]";
 5 | 
 6 |   $ch = curl_init();
 7 |   curl_setopt($ch, CURLOPT_URL,$url);
 8 |   curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 9 |   curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 60);
10 |   curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
11 |   curl_setopt($ch, CURLOPT_POST, true);
12 | 
13 |   $response = curl_exec($ch);
14 |   echo $response;
15 |   curl_close($ch);
16 | }
17 | ?>
18 | <html>
19 | <head>
20 | <title>Prototype Pollution Simple Chall!</title>
21 | <script>
22 | 
23 | function isObject(obj) {
24 |   return obj !== null && typeof obj === 'object';
25 | }
26 | 
27 | function merge(a, b) {
28 |   for (let key in b) {
29 |     if (isObject(a[key]) && isObject(b[key])) {
30 |       merge(a[key], b[key]);
31 |     } else {
32 |       a[key] = b[key];
33 |     }
34 |   }
35 |   return a;
36 | }
37 |  
38 | CLOB = {
39 |   'name':'arang'
40 | }
41 | 
42 | window.onload = ()=>{
43 |   params = new URLSearchParams(location.search);
44 |   c = JSON.parse(params.get("c"));
45 |   
46 |   merge(CLOB, c);
47 |   document.getElementById('name').innerText = `Hello ${CLOB.name}`;
48 |   
49 |   if(CLOB.isAdmin){
50 |     params = new URLSearchParams(location.search);
51 |     eval(CLOB.code);
52 |   }
53 | }
54 | </script>
55 | </head>
56 | <body>
57 | <form id="form" method="POST" action="/prototype_pollution.php">
58 |   <input type="text" hint="input url to bot visit" name="url">
59 |   <input type="submit" value="submit">
60 | </form>
61 | <div id='name'>
62 | </div>
63 | 
64 | <div id='flag'>
65 | <?php
66 | $flag = file_get_contents("/pp_flag.txt");
67 | if($_SERVER['REMOTE_ADDR']==gethostbyname('arang_client')){
68 |   echo $flag;
69 | }
70 | ?>
71 | </div>
72 | <br><br>
73 | </body>
74 | </html>
75 | <?php highlight_file(__FILE__);  ?>
76 | 
77 | 


--------------------------------------------------------------------------------
/app2/html/sqli1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include('dbconn.php');
 3 | 
 4 | if(isset($_GET["userid"]) && isset($_GET["userpw"])){
 5 | 	$mysqli = new mysqli($host, $sqli1_username, $sqli1_password, $database);
 6 | 
 7 | 	if ($mysqli->connect_error) {
 8 | 	    die("connection fail:" . $mysqli->connect_error);
 9 | 	}
10 | 
11 | 	$query = "SELECT userid FROM sqli1_table where userid='$_GET[userid]' and userpw='$_GET[userpw]'";
12 | 	$result = $mysqli->query($query);
13 | 	$userid = "";
14 | 	
15 | 	if ($result->num_rows > 0) {
16 | 	    while ($row = $result->fetch_assoc()) {
17 | 	        $userid = $row['userid'];
18 | 	    }
19 | 	}
20 | 	$mysqli->close();
21 | 
22 | 	if($userid == "admin"){
23 | 		echo file_get_contents('/sqli1_flag.txt');
24 | 	} else {
25 | 		echo $userid;
26 | 	}
27 | }
28 | ?>
29 | <br><br>
30 | <?php highlight_file(__FILE__); ?>
31 | 


--------------------------------------------------------------------------------
/app2/html/sqli2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include('dbconn.php');
 3 | 
 4 | function waf($input){
 5 | 	$t = strtolower($input);
 6 | 	if(preg_match("/or|union|admin|\||\&|\d|-|\\\\|\x09|\x0b|\x0c|\x0d|\x20|\//",$t)){
 7 | 		die('no hack..');
 8 | 	} else {
 9 | 		return $input;
10 | 	}
11 | }
12 | 
13 | if(isset($_GET["userid"]) && isset($_GET["userpw"])){
14 | 	$mysqli = new mysqli($host, $sqli2_username, $sqli2_password, $database);
15 | 
16 | 	if ($mysqli->connect_error) {
17 | 	    die("connection fail:" . $mysqli->connect_error);
18 | 	}
19 | 
20 | 	$uid = waf($_GET["userid"]);
21 | 	$upw = waf($_GET["userpw"]);
22 | 
23 | 	$query = "SELECT userid FROM sqli2_table where userid='$uid' and userpw='$upw'";
24 | 	$result = $mysqli->query($query);
25 | 	$userid = "";
26 | 	
27 | 	if ($result->num_rows > 0) {
28 | 	    while ($row = $result->fetch_assoc()) {
29 | 		    $userid = $row['userid'];
30 | 		    break;
31 | 	    }
32 | 	}
33 | 	$mysqli->close();
34 | 
35 | 	if($userid == "admin"){
36 | 		echo file_get_contents('/sqli2_flag.txt');
37 | 	} else {
38 | 		echo $userid;
39 | 	}
40 | }
41 | ?>
42 | <br><br>
43 | <?php highlight_file(__FILE__); ?>
44 | 


--------------------------------------------------------------------------------
/app2/html/sqli3.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include('dbconn.php');
 3 | 
 4 | function waf($input){
 5 | 	$t = strtolower($input);
 6 | 	if(preg_match("/or|union|admin|\||\&|\d|-|\\\\|\x09|\x0b|\x0c|\x0d|\x20|\//",$t)){
 7 | 		die('no hack..');
 8 | 	} else {
 9 | 		return $input;
10 | 	}
11 | }
12 | 
13 | if(isset($_GET["userid"]) && isset($_GET["userpw"])){
14 | 	$mysqli = new mysqli($host, $sqli3_username, $sqli3_password, $database);
15 | 
16 | 	if ($mysqli->connect_error) {
17 | 	    die("connection fail:" . $mysqli->connect_error);
18 | 	}
19 | 
20 | 	$uid = waf($_GET["userid"]);
21 | 	$upw = waf($_GET["userpw"]);
22 | 
23 | 	$query = "SELECT userid FROM sqli3_table where userid='$uid' and userpw='$upw'";
24 | 	$result = $mysqli->query($query);
25 | 	$userid = "";
26 | 	
27 | 	if ($result->num_rows > 0) {
28 | 	    while ($row = $result->fetch_assoc()) {
29 | 	        $userid = $row['userid'];
30 | 		break;
31 | 	    }
32 | 	}
33 | 	$mysqli->close();
34 | 
35 | 	if($userid == "admin"){
36 | 		echo "Hello admin";
37 | 	} else {
38 | 		echo $userid;
39 | 	}
40 | }
41 | ?>
42 | <br><br>
43 | <?php highlight_file(__FILE__); ?>
44 | 


--------------------------------------------------------------------------------
/app2/ports.conf:
--------------------------------------------------------------------------------
 1 | # If you just change the port or add more ports here, you will likely also
 2 | # have to change the VirtualHost statement in
 3 | # /etc/apache2/sites-enabled/000-default.conf
 4 | 
 5 | Listen 9200
 6 | 
 7 | <IfModule ssl_module>
 8 |         Listen 443
 9 | </IfModule>
10 | 
11 | <IfModule mod_gnutls.c>
12 |         Listen 443
13 | </IfModule>
14 | 
15 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet


--------------------------------------------------------------------------------
/app3/000-default.conf:
--------------------------------------------------------------------------------
 1 | <VirtualHost *:9201>
 2 |         # The ServerName directive sets the request scheme, hostname and port that
 3 |         # the server uses to identify itself. This is used when creating
 4 |         # redirection URLs. In the context of virtual hosts, the ServerName
 5 |         # specifies what hostname must appear in the request's Host: header to
 6 |         # match this virtual host. For the default virtual host (this file) this
 7 |         # value is not decisive as it is used as a last resort host regardless.
 8 |         # However, you must set it for any further virtual host explicitly.
 9 |         #ServerName www.example.com
10 | 
11 |         ServerAdmin webmaster@localhost
12 |         DocumentRoot /var/www/html
13 |         
14 |         # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
15 |         # error, crit, alert, emerg.
16 |         # It is also possible to configure the loglevel for particular
17 |         # modules, e.g.
18 |         #LogLevel info ssl:warn
19 | 
20 |         ErrorLog ${APACHE_LOG_DIR}/error.log
21 |         CustomLog ${APACHE_LOG_DIR}/access.log combined
22 | 
23 |         # For most configuration files from conf-available/, which are
24 |         # enabled or disabled at a global level, it is possible to
25 |         # include a line for only one particular virtual host. For example the
26 |         # following line enables the CGI configuration for this host only
27 |         # after it has been globally disabled with "a2disconf".
28 |         #Include conf-available/serve-cgi-bin.conf
29 | </VirtualHost>
30 | 
31 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet


--------------------------------------------------------------------------------
/app3/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | service apache2 start


--------------------------------------------------------------------------------
/app3/html/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | echo 1234;
3 | ?>


--------------------------------------------------------------------------------
/app3/html/lfi1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | # flag is at lfiflag.php
 3 |     if(!isset($_GET["p"])){
 4 |     	include 'index.php';
 5 |     } else {
 6 |     	include $_GET["p"];
 7 |     }
 8 | ?>
 9 | <br><br>
10 | <?php highlight_file(__FILE__); ?>
11 | 


--------------------------------------------------------------------------------
/app3/html/lfi2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     session_start();
 3 |     # get flag to run /readflag binary
 4 |     if(!isset($_GET["p"])){
 5 |     	include 'index.php';
 6 |     } else {
 7 |         $_SESSION["p"] = $_GET["p"];
 8 |     	include $_GET["p"];
 9 |     }
10 | ?>
11 | <br><br>
12 | <?php highlight_file(__FILE__); ?>
13 | 


--------------------------------------------------------------------------------
/app3/html/lfiflag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag = "flag{[REDACTED]}";


--------------------------------------------------------------------------------
/app3/ports.conf:
--------------------------------------------------------------------------------
 1 | # If you just change the port or add more ports here, you will likely also
 2 | # have to change the VirtualHost statement in
 3 | # /etc/apache2/sites-enabled/000-default.conf
 4 | 
 5 | Listen 9201
 6 | 
 7 | <IfModule ssl_module>
 8 |         Listen 443
 9 | </IfModule>
10 | 
11 | <IfModule mod_gnutls.c>
12 |         Listen 443
13 | </IfModule>
14 | 
15 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet


--------------------------------------------------------------------------------
/app4/app.py:
--------------------------------------------------------------------------------
 1 | #-*-coding:utf-8-*-
 2 | import flask
 3 | import os, subprocess
 4 | 
 5 | app = flask.Flask(__name__)
 6 | app.secret_key = os.urandom(16)
 7 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 8 | 
 9 | @app.route("/")
10 | def index():
11 | 	if "cmd" not in flask.request.args:
12 | 		with open("app.py","r") as f:
13 | 			content = f.read()
14 | 		return content
15 | 	else:
16 | 		cmd = flask.request.args["cmd"]
17 | 		p = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE, text=True)
18 | 		return "!"
19 | 
20 | 
21 | if __name__ == "__main__":
22 | 	try:
23 | 		app.run(host="0.0.0.0", port=9301, debug=True)
24 | 	except Exception as ex:
25 | 		logging.info(str(ex))
26 | 		pass
27 | 


--------------------------------------------------------------------------------
/app4/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | python3 /app4/app.py&


--------------------------------------------------------------------------------
/app5/app.py:
--------------------------------------------------------------------------------
 1 | #-*-coding:utf-8-*-
 2 | import flask
 3 | import os, subprocess
 4 | 
 5 | app = flask.Flask(__name__)
 6 | app.secret_key = os.urandom(16)
 7 | app.config['MAX_CONTENT_LENGTH'] = 80 * 1024 * 1024
 8 | 
 9 | @app.route("/")
10 | def index():
11 | 	if "name" in flask.request.args:
12 | 		template =f'''
13 | 		<h2> hello {flask.request.args['name']}! </h2>
14 | 		'''
15 | 		return flask.render_template_string(template)
16 | 	else:
17 | 		template = '''
18 | 		<h2> hello noname............ </h2>
19 | 		'''
20 | 		return flask.render_template_string(template)
21 | 
22 | 
23 | if __name__ == "__main__":
24 | 	try:
25 | 		app.run(host="0.0.0.0", port=9302, debug=True)
26 | 	except Exception as ex:
27 | 		logging.info(str(ex))
28 | 		pass
29 | 


--------------------------------------------------------------------------------
/app5/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | python3 /app5/app.py&


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: "3"
 2 | services:
 3 |   arang_client:
 4 |     build: ./docker/flask/
 5 |     container_name: arang_client
 6 |     volumes:
 7 |       - ./app:/app
 8 |     stdin_open: true
 9 |     environment:
10 |       LC_ALL: C.UTF-8
11 |     tty: true
12 |     ports:
13 |       - "9001-9100:9001-9100"
14 |       
15 |   arang_client2:
16 |     build: ./docker/php/
17 |     container_name: arang_client2
18 |     volumes:
19 |       - ./app2/:/app2
20 |       - ./app2/html/:/var/www/html/
21 |       - ./app2/ports.conf:/etc/apache2/ports.conf
22 |       - ./app2/000-default.conf:/etc/apache2/sites-enabled/000-default.conf
23 |     stdin_open: true
24 |     environment:
25 |       LC_ALL: C.UTF-8
26 |     tty: true
27 |     ports:
28 |       - "9200:9200"
29 | 
30 |   arang_client3:
31 |     build: ./docker/php2/
32 |     container_name: arang_client3
33 |     volumes:
34 |       - ./app3/:/app3
35 |       - ./app3/html/:/var/www/html/
36 |       - ./app3/ports.conf:/etc/apache2/ports.conf
37 |       - ./app3/000-default.conf:/etc/apache2/sites-enabled/000-default.conf
38 |     stdin_open: true
39 |     environment:
40 |       LC_ALL: C.UTF-8
41 |     tty: true
42 |     ports:
43 |       - "9201:9201"
44 | 
45 |   arang_client4:
46 |     build: ./docker/flask2/
47 |     container_name: arang_client4
48 |     volumes:
49 |       - ./app4/:/app4
50 |     stdin_open: true
51 |     environment:
52 |       LC_ALL: C.UTF-8
53 |     tty: true
54 |     ports:
55 |       - "9301:9301"
56 | 
57 |   arang_client5:
58 |     build: ./docker/flask3/
59 |     container_name: arang_client5
60 |     volumes:
61 |       - ./app5/:/app5
62 |     stdin_open: true
63 |     environment:
64 |       LC_ALL: C.UTF-8
65 |     tty: true
66 |     ports:
67 |       - "9302:9302"
68 | 
69 |   db:
70 |     build: ./docker/mysql
71 |     container_name: mysql-db
72 |     environment:
73 |       MYSQL_ROOT_PASSWORD: "mysq1_r00t_p4ssw0rd_d0_n0t_cr4ck_th1s"
74 |     volumes:
75 |       - "./mysql/:/docker-entrypoint-initdb.d/"
76 |     command: mysqld --innodb-buffer-pool-size=16M --character-set-server=utf8 --collation-server=utf8_general_ci


--------------------------------------------------------------------------------
/docker/flask/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:20.04
 2 | WORKDIR /app
 3 | RUN apt-get update -y 
 4 | RUN apt-get install -y curl unzip gnupg xvfb libxi6 libgconf-2-4 default-jdk wget software-properties-common
 5 | RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -
 6 | RUN echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list
 7 | RUN apt-get update -y && apt-get install -y google-chrome-stable
 8 | RUN apt-get install -y python3-pip python3-dev build-essential libcurl4-openssl-dev libssl-dev git
 9 | RUN apt-get install -y net-tools
10 | RUN apt-get install -y procps
11 | RUN pip3 install pycurl pymysql flask requests selenium
12 | RUN pip3 install git+https://github.com/SergeyPirogov/webdriver_manager
13 | 
14 | ENV admin_password [redacted]
15 | 
16 | ENV xss1_flag flag{[redacted]}
17 | ENV xss2_flag flag{[redacted]}
18 | ENV xss3_flag flag{[redacted]}
19 | ENV csrf1_flag flag{[redacted]}
20 | ENV csrf2_flag flag{[redacted]}
21 | ENV xsleak_flag flag{[redacted]}
22 | 
23 | 
24 | ENTRYPOINT /app/entrypoint.sh && /bin/bash
25 | CMD ["true"]
26 | 


--------------------------------------------------------------------------------
/docker/flask2/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:20.04
 2 | WORKDIR /app4
 3 | RUN apt-get update -y 
 4 | RUN apt-get install -y curl unzip gnupg xvfb libxi6 libgconf-2-4 default-jdk wget software-properties-common
 5 | RUN apt-get install -y python3-pip python3-dev build-essential libcurl4-openssl-dev libssl-dev
 6 | RUN apt-get install -y net-tools vim procps
 7 | RUN pip3 install pycurl flask requests
 8 | 
 9 | COPY flags/command_injection_flag.txt /command_injection_flag.txt
10 | RUN chmod 444 /command_injection_flag.txt
11 | 
12 | RUN groupadd -g 999 user
13 | RUN useradd -r -u 999 -g user user
14 | USER user
15 | RUN python3 /app4/app.py&
16 | 
17 | ENTRYPOINT /app4/entrypoint.sh && /bin/bash
18 | CMD ["true"]
19 | 


--------------------------------------------------------------------------------
/docker/flask2/flags/command_injection_flag.txt:
--------------------------------------------------------------------------------
1 | flag{[REDACTED]}


--------------------------------------------------------------------------------
/docker/flask3/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:20.04
 2 | WORKDIR /app5
 3 | RUN apt-get update -y 
 4 | RUN apt-get install -y curl unzip gnupg xvfb libxi6 libgconf-2-4 default-jdk wget software-properties-common
 5 | RUN apt-get install -y python3-pip python3-dev build-essential libcurl4-openssl-dev libssl-dev
 6 | RUN apt-get install -y net-tools vim procps
 7 | RUN pip3 install pycurl flask requests
 8 | 
 9 | COPY flags/ssti_flag.txt /ssti_flag.txt
10 | RUN chmod 444 /ssti_flag.txt
11 | 
12 | RUN groupadd -g 999 user
13 | RUN useradd -r -u 999 -g user user
14 | USER user
15 | RUN python3 /app5/app.py&
16 | 
17 | ENTRYPOINT /app5/entrypoint.sh && /bin/bash
18 | CMD ["true"]
19 | 


--------------------------------------------------------------------------------
/docker/flask3/flags/ssti_flag.txt:
--------------------------------------------------------------------------------
1 | flag{[REDACTED]}


--------------------------------------------------------------------------------
/docker/mysql/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM mysql:5.7


--------------------------------------------------------------------------------
/docker/php/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM php:8.2-apache-bullseye
 2 | WORKDIR /app2
 3 | RUN apt-get update -y 
 4 | RUN apt-get install -y curl unzip gnupg xvfb libxi6 libgconf-2-4 default-jdk wget software-properties-common
 5 | RUN apt-get install -y python3-pip python3-dev build-essential libcurl4-openssl-dev libssl-dev git
 6 | RUN apt-get install -y net-tools
 7 | RUN apt-get install -y procps
 8 | RUN docker-php-ext-install mysqli
 9 | 
10 | COPY flags/domclobbering_flag.txt /domclobbering_flag.txt
11 | RUN chmod 444 /domclobbering_flag.txt
12 | 
13 | COPY flags/sqli1_flag.txt /sqli1_flag.txt
14 | RUN chmod 444 /sqli1_flag.txt
15 | 
16 | COPY flags/sqli2_flag.txt /sqli2_flag.txt
17 | RUN chmod 444 /sqli2_flag.txt
18 | 
19 | COPY flags/pp_flag.txt /pp_flag.txt
20 | RUN chmod 444 /pp_flag.txt
21 | 
22 | RUN groupadd -g 999 user
23 | RUN useradd -r -u 999 -g user user
24 | USER user
25 | 
26 | ENTRYPOINT /app2/entrypoint.sh && /bin/bash
27 | CMD ["true"]
28 | 


--------------------------------------------------------------------------------
/docker/php/flags/domclobbering_flag.txt:
--------------------------------------------------------------------------------
1 | flag{[REDACTED]}
2 | 


--------------------------------------------------------------------------------
/docker/php/flags/pp_flag.txt:
--------------------------------------------------------------------------------
1 | flag{[REDACTED]}


--------------------------------------------------------------------------------
/docker/php/flags/sqli1_flag.txt:
--------------------------------------------------------------------------------
1 | flag{[REDACTED]}
2 | 


--------------------------------------------------------------------------------
/docker/php/flags/sqli2_flag.txt:
--------------------------------------------------------------------------------
1 | flag{[REDACTED]}
2 | 


--------------------------------------------------------------------------------
/docker/php2/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM php:8.2-apache-bullseye
 2 | WORKDIR /app3
 3 | RUN apt-get update -y 
 4 | RUN apt-get install -y curl unzip gnupg xvfb libxi6 libgconf-2-4 default-jdk wget software-properties-common
 5 | RUN apt-get install -y python3-pip python3-dev build-essential libcurl4-openssl-dev libssl-dev git gcc
 6 | RUN apt-get install -y net-tools procps vim
 7 | COPY flags/readflag.c /app3/readflag.c
 8 | RUN gcc -o /readflag /app3/readflag.c
 9 | RUN chmod 111 /readflag
10 | 
11 | RUN groupadd -g 999 user
12 | RUN useradd -r -u 999 -g user user
13 | USER user
14 | 
15 | ENTRYPOINT /app3/entrypoint.sh && /bin/bash
16 | CMD ["true"]
17 | 


--------------------------------------------------------------------------------
/docker/php2/flags/readflag.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdlib.h>
3 | 
4 | int main(int argc, char* argv[]){
5 |     puts("flag{[REDACTED]}");
6 | }


--------------------------------------------------------------------------------
/mysql/init.sql:
--------------------------------------------------------------------------------
 1 | SET collation_connection = 'utf8_general_ci';
 2 | 
 3 | #drop database fsi;
 4 | create database fsi;
 5 | ALTER DATABASE fsi CHARACTER SET utf8 COLLATE utf8_general_ci;
 6 | 
 7 | use fsi;
 8 | 
 9 | #drop table sqli1_table;
10 | 
11 | create user 'sqli1'@'%' identified by '[REDACTED]';
12 | create user 'sqli2'@'%' identified by '[REDACTED]';
13 | create user 'sqli3'@'%' identified by '[REDACTED]';
14 | 
15 | create table sqli1_table(
16 | 	userseq int not null auto_increment primary key,
17 | 	userid varchar(50) not null, 
18 | 	userpw varchar(255) not null
19 | );
20 | 
21 | create table sqli2_table(
22 | 	userseq int not null auto_increment primary key,
23 | 	userid varchar(50) not null, 
24 | 	userpw varchar(255) not null
25 | );
26 | 
27 | create table sqli3_table(
28 | 	userseq int not null auto_increment primary key,
29 | 	userid varchar(50) not null, 
30 | 	userpw varchar(255) not null
31 | );
32 | 
33 | 
34 | ALTER TABLE sqli1_table CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;
35 | ALTER TABLE sqli2_table CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;
36 | ALTER TABLE sqli3_table CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;
37 | 
38 | insert into sqli1_table (userid, userpw) values ("guest","guest"), ("admin", "[REDACTED]"); 
39 | insert into sqli2_table (userid, userpw) values ("guest","guest"), ("admin", "[REDACTED]"); 
40 | insert into sqli3_table (userid, userpw) values ("guest","guest"), ("admin", "flag{[REDACTED]}"); 
41 | 
42 | grant select on fsi.sqli1_table to 'sqli1'@'%';
43 | grant select on fsi.sqli2_table to 'sqli2'@'%';
44 | grant select on fsi.sqli3_table to 'sqli3'@'%';
45 | 
46 | 
47 | flush privileges;


--------------------------------------------------------------------------------