The last one was a hard one, so this means we are learning stuff 🙂

Challenge: Choose a JPEF to upload (max 1 KB):
Where we can browse for a file and upload it.

Solving it:
So lets read the source code and see what we can find.

 <html>
<body>
<h1>natas12</h1>
<div id="content">
<? 
function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

<form enctype="multipart/form-data" action="index.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000" />
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
Choose a JPEG to upload (max 1KB):<br/>
<input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
  • So the first function generates a random string of 10 characters with the characters: 0123456789abcdefghijklmnopqrstuvwxyz
  • The second function makes a random path using the randomstring
  • The third function is made to return dir en ext to the second function.
  • The code checks if its more then 1kb and gives a message if it is, otherwise it will me moved.

ps. to try these functions out you can use the php installed on kali or use something like http://www.writephponline.com/ to test it online. Test the function to confirm that it does what you think it does.

Checking the code, it does not change the php file or checks for a jpeg file. So lets try to upload a jpg file. This works, lets make a php file and try to upload this. I used the following code so it cats out the password from the file in /etc/.

<?php $output = shell_exec('cat /etc/natas_webpass/natas13'); echo $output; ?>

Lets upload the natas12.png and check what it does: The file upload/knjppopm5g.jpg has been uploaded. Lets click on it and we get an error:

Hmm okay, lets change the file extension to php and upload it. Lets upload natas12.php, The file upload/9of0p3syfj.jpg has been uploaded. It changed to jpg again. Is there something in the html code that does this, lets have a look by inspecting the element and expending all the components.

It shows us an hidden field with the new name and the extension. Lets change this to .php so it becomes a PHP file instead of a jpg file. We got greeted with the message: The file upload/41rzn7ipae.php has been uploaded. Seems like it uploaded as an php file, lets click on it and we got the password to the next level.

Leave a Reply

Your email address will not be published. Required fields are marked *