banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

A file upload question from cisp-pte.

Give me a cisp-pte file upload question, and I need to guess the path of the uploaded file by brute force.

Open the question, as shown below:

image

The code for the file upload section is provided:

$filename = $files["name"];
$randnum = rand(1, 99999);
$fullpath = '/' . md5($filename.$randnum).".".substr($filename,strripos($filename,'.') + 1); 

From the code, we can see that the uploaded file name will be encrypted using md5, with the encryption method being the current uploaded file name concatenated with a random number from 1 to 99999, followed by a file extension.

Let's try uploading a file. The uploaded file will filter out keywords such as "eval", but we can bypass it by using uppercase letters. The content-type needs to be changed to an image format.

image

After successful upload, we cannot see the path of the uploaded file.

Based on the uploaded code, we can first upload an image. The uploaded image will be encrypted using md5, such as md5(1.php1).php. After the image is uploaded, since we don't know the path of the uploaded file, we need to guess the file name after upload, using the same md5(1.php1).php method. Let's see the specific steps:

  1. Put the package into intruder and fill in an "x-forwarded-for" parameter with the content set to 127.0.0.1, and iterate over the "1" parameter.

image

  1. Next, set the payload options:

Payload type: Numbers
From: 1
To: 200
Step: 1

image

Iterate over numbers 1 to 200 from the range 1-99999.

Two values need to be set: payload processing. When iterating over each value, add the prefix "1.php" to the file name being uploaded, and then encrypt its content (1.php[1-200]) using md5.

image

  1. After successful upload, the size and length are the same. At this point, we still don't know the file name after upload because the md5 values of 1.php[1-200] are the same. So we need to brute force again, this time directly requesting the file name, /md5(1.php[1-200]). The ones that can be successfully accessed are the correct file names.

image

  1. Guess the file name after upload by directly accessing the encrypted md5 content.

image

The payload settings are the same as uploading the file.

By distinguishing the 200 status code, we can know the file name of the upload as shown in the figure below.

image

After successful upload, connect using AntSword.

image


Supplement: 2023-07-21

The above method is a bit cumbersome at the file upload stage. There is no need to set the payload in such a complicated way. Below is a simpler solution.

  1. Capture the packet.

image

Set the payload and send the packet directly. No other payload needs to be set here. The null payload indicates repeating the request.

image

  1. Next, start brute-forcing the path.

Request any path with ".php" appended.

image

Set the payload as follows:

image

image

2000 payloads can successfully upload multiple files.

image

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.