[HarekazeCTF2019]Avatar Uploader 1

This topic is given to the source code

Visit and found upload.php

 256000) {error('Uploaded file is too large.');}// check file type$finfo = finfo_open(FILEINFO_MIME_TYPE);$type = finfo_file($finfo, $_FILES['file']['tmp_name']);finfo_close($finfo);if (!in_array($type, ['image/png'])) {error('Uploaded file is not PNG format.');}// check file width/height$size = getimagesize($_FILES['file']['tmp_name']);if ($size[0] > 256 || $size[1] > 256) {error('Uploaded image is too large.');}if ($size[2] !== IMAGETYPE_PNG) {// I hope this never happens...error('What happened...? OK, the flag for part 1 is: ' . getenv('FLAG1') . '');}// ok$filename = bin2hex(random_bytes(4)) . '.png';move_uploaded_file($_FILES['file']['tmp_name'], UPLOAD_DIR . '/' . $filename);$session->set('avatar', $filename);flash('info', 'Your avatar has been successfully updated!');redirect('/');

The audit code learned that there are two important functions, namely the finfo_open() function and the getimagesize() function. The finfo_open() function is to check whether the uploaded file is an image/png file, and if not, return 'Upload file'is not PNG format', the getimagesize() function is used to obtain the image size and related information, and returns an array if successful, or FALSE if it fails, and an E_WARNING level error message is generated.

Array([0] => 290[1] => 69[2] => 3[3] => width="290" height="69"[bits] => 8[mime] => image/png)

Return result description

• Index 0 gives the image width in pixels
• Index 1 gives the image height in pixels
• Index 2 gives the type of the image and returns a number, where 1=GIF, 2=JPG, 3=PNG, 4=SWF, 5=PSD, 6=BMP, 7=TIFF(intel byte order), 8 = TIFF (motorola byte order), 9 = JPC, 10 = JP2, 11 = JPX, 12 = JB2, 13 = SWC, 14 = IFF, 15 = WBMP, 16 = XBM
• Index 3 gives a width and height string that can be used directly in the HTML tag
• Index bits gives the number of bits per color of the image, in binary format
• The index channels gives the channel value of the image, the default is 3 for RGB images
• The index mime gives the MIME information of the image, which can be used to send the correct information in the HTTP Content-type header, such as: header("Content-type: image/jpeg");

After auditing the code again, we learned that the file required to be uploaded exists and must not be larger than 256kb. It is checked by the finfo_open() function (the finfo_open function mainly checks the first line of hexadecimal information) whether it is an image/png file, and the image widthThe pixel value of the height and height should not be greater than 256px. If the upload is successful, the flag of part1 can be given.Use 010 to create a hexadecimal file. 0, 1, 2, and 3 in the second line are the set widths, and 4, 5, 6, and 7 are the set heights. Do not set them directly to bypass the getimagesize() function, and only setpng file header.

Save as 1.png and upload to get flag

This is the end, let's spread the flowers