add proj form hcamael

vidar-team · Dec 8, 2015 · 478bd2a · 478bd2a
1 parent 018c722
commit 478bd2a
Show file tree

Hide file tree

Showing 21 changed files with 1,110 additions and 0 deletions.
diff --git a/Black-Eat-Black/README.md b/Black-Eat-Black/README.md
@@ -0,0 +1,7 @@
+## Black Eat black
+
+by Hcameal
+
+一开始是DNS劫持，劫持到题目服务器，通过nmap扫描得知三个filtered端口，然后通过修改host，127.0.0.1:4444进入内网的gayhub gayhub可任意文件读取，读取到/etc/passwd，得知要getshell，然后通过文件可上传到上级目录的漏洞，把自己的公钥传到/home/hctf2015/.ssh/authorized_keys 然后getshell
+
+//详情请见 http://lazysheep.cc
diff --git a/...b-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/indexjasldkfjasdofpasdfjlkasfdja.py b/...b-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/indexjasldkfjasdofpasdfjlkasfdja.py
@@ -0,0 +1,228 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+
+import StringIO
+import otherfjklsdafjodipvjalkdffasfd as other
+import os
+import time
+import string, random, hashlib
+from flask import Flask
+from flask import render_template
+from flask import request
+from flask import session
+from flask import jsonify
+from flask import abort
+from flask import Response
+
+
+app = Flask(__name__)
+app.config['MAX_CONTENT_LENGTH'] = 200 * 1024
+key = string.ascii_letters
+#app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'
+#app.debug=True
+
+# 自定义404页面
+@app.errorhandler(404)
+def internal_error(error):
+    return render_template('404.html'), 404
+
+# 两个主页路由, 伪装成php
+@app.route('/')
+def index():
+	return render_template('index.html')
+
+@app.route('/index.php')
+def index2():
+	return render_template('index.html')
+
+# 验证码获取
+@app.route('/code')
+def code():
+	try:
+		code_img,strs = other.create_validate_code() 
+		buf = StringIO.StringIO() 
+		code_img.save(buf,'JPEG',quality=70) 
+		buf_str = buf.getvalue()
+		h = {'Content-Type': 'image/jpeg'} 
+		response = Response(buf_str, headers=h)
+		#response = app.make_response(buf_str)  
+		#response.headers['Content-Type'] = 'image/jpeg'  
+		session['code'] = strs
+		return response  
+	except(Exception) as s:
+		print s
+		return 'Hacked by Hcamael', 404
+
+# 登录路由
+@app.route('/login', methods=['POST', 'GET'])
+def login():
+	if request.method == 'GET':
+		try:
+			token = get_token()
+			return render_template('login.html', token = token)
+		except(Exception) s:
+			print s
+			return "Hacked by Hcamael", 404
+	if request.method == 'POST':
+		form_list = ('user', 'pass', 'code')
+		f = request.form
+		try:
+			e, s = other.check(f, form_list)
+		except(Exception) as s:
+			print s
+			return "Hacked by Hcamael", 404
+		if not e:
+			return jsonify(error=1, info=s)
+		if f['code'] != session['code']:
+			return jsonify(error=2, info="验证码输入错误!")
+		try:
+			if f['token'] != session['token']:
+				return ""
+		except:
+			return ""
+		try:
+			ee, ss = other.ceruser(f)
+		except(Exception) as s:
+			print s
+			return "Hacked by Hcamael", 404
+		if ee:
+			session['user'] = f['user']
+			session['path'] = "./static/upload/"+f['user']
+			return jsonify(error=0, info=ss)
+		else:
+			return jsonify(error=1, info=ss)
+
+
+# 注册路由
+@app.route('/register', methods=['POST', 'GET'])
+def register():
+	if request.method == 'GET':
+		try:
+			token = get_token()
+			return render_template('register.html', token = token)
+		except(Exception) as s:
+			print s
+			return "Hacked by Hcamael", 404
+	if request.method == 'POST':
+		# 需要接收的参数
+		form_list = ('user', 'pass', 'repass', 'code')
+		f = request.form
+		try:
+			e, s = other.check(f, form_list)
+		except(Exception) as s:
+			print s
+			return "leisile!", 404
+		if not e:
+			return jsonify(error=1, info=s)
+		if f['code'] != session['code']:
+			return jsonify(error=2, info="验证码输入错误!")
+		try:
+			if f['token'] != session['token']:
+				return ""
+		except:
+			return ""
+		# 检查完成, 插入数据
+		try:
+			ee, ss = other.adduser(f)
+		except(Exception) as s:
+			print s
+			return "lei!", 404
+		if ee:	
+			return jsonify(error=0, info=ss)
+		else:
+			return jsonify(error=1, info=ss)
+
+# 退出登录
+@app.route('/logout')
+def logout():
+	try:
+		del session['user']
+		del session['path']
+		return "<script>self.location.href='/'</script>"
+	except:
+		return "<script>self.location.href='/'</script>"
+
+# 用户主页
+@app.route('/<name>')
+def user(name):
+	if 'user' not in session or name != session['user']:
+		abort(404)
+	if 'path' not in session or not os.path.isdir(session['path']):
+		abort(404)
+	data = {}
+	try:
+		token = get_token()
+		dire = "static/upload/" + name + "/"
+		data = file_info(dire)
+		return render_template('user.html',name=name ,data = data, token=token)
+	except(Exception) as s:
+		print s
+		return "leileilei!", 404
+
+# 查看文件
+@app.route('/<name>/uploadfile/<path:filename>')
+def filen(name, filename):
+	if 'user' not in session or name != session['user']:
+		abort(404)
+	if 'path' not in session or not os.path.isdir(session['path']):
+		abort(404)
+	try:
+		with open("./static/upload/%s/%s" % (name, filename), "rb") as f:
+			content=f.read()
+	except:
+		return ""
+	return content
+# 文件上传
+@app.route('/<name>/upload', methods=['POST',])
+def upload(name):
+	if 'user' not in session or name != session['user']:
+		abort(404)
+	if 'path' not in session or not os.path.isdir(session['path']):
+		abort(404)
+	if request.method == 'POST':
+		try:
+			if request.form['code'] != session['code']:
+				return "<script>alert('验证码错误!');history.back();</script>"
+			if request.form['token'] != session['token']:
+				return ""
+		except:
+			return "1"
+
+		f = request.files['file']
+		try:
+			f.save("./static/upload/%s"%name+"/"+f.filename)
+		except:
+			return "<script>alert('Upload Fail!');history.back();</script>"	
+		return "<script>alert('Upload Success!');history.back();</script>"
+	else:
+		return "2"
+
+# 获取用户文件信息
+def file_info(dire):
+	data = {}
+	fi = os.listdir(dire)
+	for x in range(len(fi)):
+		data[x] = {}
+		data[x]['name'] = fi[x]
+		size = os.path.getsize(dire+fi[x])
+		ctime = os.path.getctime(dire+fi[x])
+		atime = os.path.getatime(dire+fi[x])
+		data[x]['size'] = size
+		ctime = time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(ctime))
+		atime = time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(atime))
+		data[x]['ctime'] = ctime
+		data[x]['atime'] = atime
+	return data
+
+
+# csrf_token生成
+def get_token():
+	token = "".join(x for x in random.sample(key,7))
+	token = hashlib.md5(token).hexdigest()
+	session['token'] = token
+	return token
+
+
+if __name__ == '__main__':
+	app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'
+	app.run(debug=True, host="127.0.0.1", port=11111, threaded=True)
diff --git a/...web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/otherfjklsdafjodipvjalkdffasfd.py b/...web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/otherfjklsdafjodipvjalkdffasfd.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+
+from PIL import Image, ImageDraw, ImageFont, ImageFilter
+import random
+import os
+import json
+
+def ceruser(info):
+	filen = "./userHCTF/"+info['user']
+	if checkuser(filen):
+		try:
+			cer = json.load(open(filen,"r"))
+		except:
+			return (0, "登录失败!")
+		if ('user' and 'pass') not in cer or info['user'] != cer['user'] or info['pass'] != cer['pass']:
+			return (0, "用户名或密码输入失败!")
+		return (1, "登录成功")
+	return (0, "用户名或密码输入失败!")
+
+
+def adduser(info):
+	data = {"user":info['user'], "pass":info['pass']}
+	filen = "./userHCTF/"+info['user']
+	if not checkuser(filen):
+		try:
+			json.dump(data, open(filen, "w"))
+			os.mkdir("./static/upload/"+info['user'])
+			return (1, "注册成功!")
+		except:
+			return (0, "注册失败!")
+	else:
+		return (0, "用户已存在!")
+
+def checkuser(user):
+	return os.path.isfile(user)
+
+info = {"user":"请输入用户名!", "pass":"请输入密码!", "repass":"请再次输入密码!", "code":"请输入验证码!"}
+def check(form, var):
+	# 检查相应的变量是否都有
+	for x in var:
+		if x in form:
+			# 检查变量是否为空
+			if form[x] == "":
+				return (0, info[x])
+		else:
+			return (0, info[x])
+
+	# 检查两次密码是否相等
+	if 'repass' in var:
+		if form['pass'] != form['repass']:
+			return (0, "两次密码不相等!")
+	return (1, "")
+
+numbers = ''.join(map(str, range(10)))
+chars = ''.join((numbers))
+def create_validate_code(
+	size=(120, 30), 
+	chars=chars, 
+	mode="RGB", 
+	bg_color=(255, 255, 255), 
+	fg_color=(255, 0, 0), 
+	font_size=18, 
+	font_type="./static/fonts/micross.ttf", 
+	length=4, 
+	draw_points=True, 
+	point_chance = 2): 
+	'''''
+	size: 图片的大小，格式（宽，高），默认为(120, 30)
+	chars: 允许的字符集合，格式字符串
+	mode: 图片模式，默认为RGB
+ 	bg_color: 背景颜色，默认为白色
+	fg_color: 前景色，验证码字符颜色
+ 	font_size: 验证码字体大小
+	font_type: 验证码字体，默认为 Monaco.ttf
+	length: 验证码字符个数
+	draw_points: 是否画干扰点
+	point_chance: 干扰点出现的概率，大小范围[0, 50]
+	''' 
+
+	width, height = size 
+	img = Image.new(mode, size, bg_color) # 创建图形 
+	draw = ImageDraw.Draw(img) # 创建画笔 
+
+	def get_chars(): 
+		'''''生成给定长度的字符串，返回列表格式''' 
+		return random.sample(chars, length) 
+
+	def create_points(): 
+		'''''绘制干扰点''' 
+		chance = min(50, max(0, int(point_chance))) # 大小限制在[0, 50] 
+		for w in xrange(width): 
+			for h in xrange(height): 
+				tmp = random.randint(0, 50) 
+				if tmp > 50 - chance: 
+					draw.point((w, h), fill=(0, 0, 0)) 
+
+	def create_strs(): 
+		'''''绘制验证码字符''' 
+		c_chars = get_chars() 
+		strs = '%s' % ''.join(c_chars) 
+		font = ImageFont.truetype(font_type, font_size) 
+		font_width, font_height = font.getsize(strs) 
+		draw.text(((width - font_width) / 3, (height - font_height) / 4), 
+		strs, font=font, fill=fg_color) 
+		return strs 
+
+	if draw_points: 
+		create_points() 
+		strs = create_strs() 
+
+	# 图形扭曲参数 
+	params = [1 - float(random.randint(1, 2)) / 100, 0, 0, 0, 1 - float(random.randint(1, 10)) / 100, float(random.randint(1, 2)) / 500, 0.001, float(random.randint(1, 2)) / 500 ] 
+	img = img.transform(size, Image.PERSPECTIVE, params) # 创建扭曲 
+	img = img.filter(ImageFilter.EDGE_ENHANCE_MORE) # 滤镜，边界加强（阈值更大） 
+	return img,strs
diff --git a/...eb-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/otherfjklsdafjodipvjalkdffasfd.pyc b/...eb-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/otherfjklsdafjodipvjalkdffasfd.pyc
diff --git a/...mael-web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/css/bootstrap.min.css b/...mael-web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/css/bootstrap.min.css
diff --git a/.../Hcamael-web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/fonts/micross.ttf b/.../Hcamael-web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/fonts/micross.ttf
diff --git a/...el-web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/js/jquery-1.11.3.min.js b/...el-web-299-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/js/jquery-1.11.3.min.js
diff --git a/...99-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/js/jquery.particleground.min.js b/...99-master-a0d616024f3064661be0016daf5a9312b4fc108d/static/js/jquery.particleground.min.js