This is the vulnerable code, that is supposed to mimic what a real web pag could have, and then the exploit server does the exploit.
https://github.com/jeremy-neale/public_vulnerable_exploit_server
https://jeremy-neale.github.io/public_vulnerable_exploit_server/
https://github.com/jeremy-neale/exploit_server
https://github.com/jeremy-neale/subdomain_bypass-exploit_server