banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel

A file upload question that does not display the path after redirection.

Background#

Organizing neglected target fields

Process#

Target machine address

When opened, it looks like this:

image

The hint is already obvious, let us find the backend to upload a shell and obtain the root directory key of the website.

Discovering the Upload Point#

Let's start by scanning the backend using dirsearch

image

Hmm, all under the admin directory. Accessing the admin page alone shows a blank page, so let's add upload.php:

image

It redirects to upload1.php first, with a pop-up showing no permission to upload, then redirects to upload2.php:

image

As a former CTF newbie, my intuition tells me that there is a problem with upload1.php, so let's intercept it with burp:

image

Hmm, in the returned page, we can clearly see a form. The first thing to consider for the intercepted pop-up is front-end js.

Disable javascript in the browser, re-access upload.php, and after redirecting to upload1.php, the upload box is displayed:

image

Let's just go for it and upload a test.php with the following content:

image

Upload successful, redirected to upload_file.php. Yeah! Wait a minute, where's the path? @(black line)

Obtaining the Upload Path#

Getting a bit impulsive, let's intercept the upload interface of upload1.php again using burp:

image

Hmm, everything seems normal, but after uploading, it doesn't provide the path. Let's take a closer look at the validation cookie:

This validation string 266c9bd3c1cd6c9e is generally useful. Since it redirects to upload_file.php, the code that generates the path for uploading the shell must be in the upload_file.php file.

Let's try changing the value of uploadmd5 to upload_file.php and see if we can read the source code (it's like an arbitrary file read vulnerability):

image

OHHHHHHH, we have successfully read the source code of the upload:

The statement for constructing the upload file path has also been found: $path.$time.'_'.$verify.'_'.$file1

That is, upload directory.date("Ymd")_value of verify_file name

So the path of the uploaded file should be: admin/uploadfile/20200331_266c9bd3c1cd6c9e_test.php

Result#

AntSword connection:

image

Successfully obtained the flag:

image

References:

End of article.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.