Simple Web 0x06(Lab - Image Space 0x03)
tags: NTUSTWS CTF Web
Challenge: http://h4ck3r.quest:9012
Background
Source code
:::spoiler
<?php
if (isset($_GET['source'])) {
highlight_file(__FILE__);
exit;
}
?>
<h1>Image Uploader</h1>
<p>Only supports: jpg, jpeg, png</p>
<form action="index.php" method="POST" enctype="multipart/form-data">
<input type="file" name="image_file">
<input type="submit" value="Upload">
</form>
<p>
<a href="/?source">View Source</a>
</p>
<?php
if (!isset($_FILES['image_file'])) {
die('Give me a file!');
}
$filename = basename($_FILES['image_file']['name']);
$extension = strtolower(explode(".", $filename)[1]);
if (!in_array($extension, ['png', 'jpeg', 'jpg']) !== false) {
die("Invalid file extension: $extension.");
}
if (in_array($_FILES['image_file']['type'], ["image/png", "image/jpeg", "image/jpg"]) === false) {
die("Invalid file type: " . $_SERVER["CONTENT_TYPE"]);
}
list($_, $_, $type) = getimagesize($_FILES['image_file']['tmp_name']);
if ($type !== IMAGETYPE_JPEG && $type !== IMAGETYPE_PNG) {
die("Invalid image type.");
}
$prefix = bin2hex(random_bytes(8));
move_uploaded_file($_FILES['image_file']['tmp_name'], "images/${prefix}_${filename}");
echo "<img src=\"/images/${prefix}_${filename}\">";
?>
:::
It has 2 extra constraint must be bypassed. Use burpsuite and change valid file signature
Exploit - bypass IMAGETYPE + bypass $_FILES['image_file']['type']
-
HxD- bypassIMAGETYPEAdd valid file signature at the beginning from wiki page png:89 50 4E 47 0D 0A 1A 0Ajpg:FF D8 FF DB -
burpsuite- bypass file type
- Then we got shell!!!
payload:
http://h4ck3r.quest:9012/images/353d74c11becb9b1_webshell_valid_filetype.png.php?sh=cat%20../../../../flag