add web400-10 hitcon 2018

web400-10/Dockerfile

@@ -0,0 +1,14 @@
+FROM ubuntu:16.04
+
+RUN sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
+
+RUN apt-get -y update && \ 
+    apt-get install -y python python-dev python-pip 
+COPY  ./src /src
+
+WORKDIR /src
+RUN pip install -r requirements.txt
+
+EXPOSE 8080  
+
+CMD ["python","app.py"]

web400-10/src/app.py

@@ -0,0 +1,101 @@
+# coding: UTF-8
+import os
+import web
+import urllib
+import urlparse
+from Crypto.Cipher import DES
+
+web.config.debug = False
+ENCRPYTION_KEY = 'megnnaro'
+
+
+urls = (
+    '/', 'index'
+)
+app = web.application(urls, globals())
+db = web.database(dbn='sqlite', db='db.db')
+
+
+def encrypt(s):
+    length = DES.block_size - (len(s) % DES.block_size)
+    s = s + chr(length)*length
+
+    cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
+    return cipher.encrypt(s).encode('hex')
+
+def decrypt(s):
+    try:
+        data = s.decode('hex')
+        cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
+
+        data = cipher.decrypt(data)
+        data = data[:-ord(data[-1])]
+        return dict(urlparse.parse_qsl(data))
+    except Exception as e:
+        print e.message
+        return {}
+
+def get_posts(limit=None):
+    records = []
+    for i in db.select('posts', limit=limit, order='ups desc'):
+        tmp = {
+            'm': 'r', 
+            't': i.title.encode('utf-8', 'ignore'), 
+            'u': i.id, 
+        } 
+        tmp['param'] = encrypt(urllib.urlencode(tmp))
+        tmp['ups'] = i.ups
+        if i.file:
+            tmp['file'] = encrypt(urllib.urlencode({'m': 'd', 'f': i.file}))
+        else:
+            tmp['file'] = ''
+
+        records.append( tmp )
+    return records
+
+def get_urls():
+    urls = []
+    for i in [10, 100, 1000]:
+        data = {
+            'm': 'p', 
+            'l': i
+        }
+        urls.append( encrypt(urllib.urlencode(data)) )
+    return urls
+
+class index:
+    def GET(self):
+        s = web.input().get('s')
+        if not s:
+            return web.template.frender('templates/index.html')(get_posts(), get_urls())
+        else:
+            s = decrypt(s)
+            method = s.get('m', '')
+            if method and method not in list('rdp'):
+                return 'param error'
+            if method == 'r':
+                uid = s.get('u')
+                record = db.select('posts', where='id=$id', vars={'id': uid}).first()
+                if record:
+                    raise web.seeother(record.url)
+                else:
+                    return 'not found'
+            elif method == 'd':
+                file = s.get('f')
+                if not os.path.exists(file):
+                    return 'not found'
+                name = os.path.basename(file)
+                web.header('Content-Disposition', 'attachment; filename=%s' % name)
+                web.header('Content-Type', 'application/pdf')
+                with open(file, 'rb') as fp:
+                    data = fp.read()
+                return data
+            elif method == 'p':
+                limit = s.get('l')
+                return web.template.frender('templates/index.html')(get_posts(limit), get_urls())
+            else:
+                return web.template.frender('templates/index.html')(get_posts(), get_urls())
+
+
+if __name__ == "__main__":
+    app.run()

web400-10/src/requirements.txt

@@ -0,0 +1,2 @@
+pycrypto==2.6.1
+web.py==0.38

web400-10/src/static/hint.py

@@ -0,0 +1 @@
+assert ENCRYPTION_KEY.islower()

web400-10/src/templates/index.html

@@ -0,0 +1,69 @@
+$def with (records, urls)
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>
+        On my Raddit
+    </title>
+
+    <link href="/static/bootstrap.min.css" rel="stylesheet">
+    <style>
+        body {
+            font-family: "Josefin Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
+        }
+    </style>
+    <script type="text/javascript">
+        function change(t){
+            var limit = t.value
+            if (limit == 10) {
+                location.href = '?s=$urls[0]';
+            } else if (limit == 100) {
+                location.href = '?s=$urls[1]';
+            } else {
+                location.href = '/';
+            }
+        }
+
+    </script>
+</head>
+<body>
+  <div class="container">
+    <div class="jumbotron" style='background: #f7f7f7'>
+        <h1>On my Raddit</h1>
+        <p>Flag is <b>hitcon{ENCRYPTION_KEY}</b>, and here is a <b><a href='static/hint.py'>hint</a></b> for you :P</p>
+        <p><i>P.S. If you fail in submitting the flag and want to argue with author, read the source first!</i></p>
+        <br />
+        <p>
+            Totoal: ${len(records)} &nbsp;
+            <select onchange='change(this)'>
+              <option value="10">10</option>
+              <option value="100">100</option>
+              <option value="All" selected>All</option>
+            </select>
+        </p> 
+        <table class="table">
+          <thead>
+            <tr>
+              <th scope="col">Ups</th>
+              <th scope="col">Title</th>
+              <th scope="col">File</th>
+            </tr>
+          </thead>
+          <tbody>
+            $for r in records:
+                <tr>
+                  <td>$r['ups']</td>
+                  <td><a href="?s=$r['param']">$r['t']</a></td>
+                  $if r['file'] :
+                    <td><a href="?s=$r['file']">down</a></td>
+                  $else:
+                    <td></td>
+                </tr>
+          </tbody>
+        </table>
+    </div>
+  </div>
+</body>
+</html>

web400-10/writeup.md

@@ -0,0 +1,2 @@
+[https://github.com/orangetw/My-CTF-Web-Challenges#oh-my-raddit](https://github.com/orangetw/My-CTF-Web-Challenges#oh-my-raddit)
+[http://wonderkun.cc/index.html/?p=729](http://wonderkun.cc/index.html/?p=729)