search

old-41 -- Filenames And Errors

URL: https://webhacking.kr/challenge/web-19/?view_source=1arrow-up-right

old-41.png
<?php
include "../../config.php";
include "./inc.php";
if ($_GET["view_source"]) {
    view_source();
}
error_reporting(E_ALL);
ini_set("display_errors", 1);
?><html>
<head>
<title>Challenge 41</title>
</head>
<body>
<?php if (isset($_FILES["up"]) && $_FILES["up"]) {
    $fn = $_FILES["up"]["name"];
    $fn = str_replace(".", "", $fn);
    $fn = str_replace("<", "", $fn);
    $fn = str_replace(">", "", $fn);
    $fn = str_replace("/", "", $fn);

    $cp = $_FILES["up"]["tmp_name"];
    copy($cp, "./{$upload_dir}/{$fn}");
    $f = @fopen("./{$upload_dir}/{$fn}", "w");
    @fwrite($f, $flag);
    @fclose($f);
    echo "Done~";
} ?>
<form method=post enctype="multipart/form-data">
<input type=file name=up><input type=submit value='upload'>
</form>
<a href=./?view_source=1>view-source</a>
</body>
</html>

In the PHP code we see that display_errors is True meaning if we cause an error we can see it. There's also upload feature which takes our file, replaces some characters in name and finally writes flag into the file.

Tricky part is we don't know where the $upload_dir is.

The limit of filenames on filesystems seems to be capped at 256, if we upload filename with greater size we should cause an error and get the path exposed:

I edited the request with burp as you can't create filename with >256 chars.

Upload any file, follow filename characters replace rule, visit the file and pwned:

Previousold-40 -- SQLi (Blind)Nextold-42 -- Client Download Restriction

Last updated