Translate the following text to English language:
Take a file upload question from cisp-pte, and guess the path of the uploaded file by brute force.
Open the question, as shown below:
The code for the file upload section is provided:
$filename = $files["name"];
$randnum = rand(1, 99999);
$fullpath = '/' . md5($filename.$randnum).".".substr($filename,strripos($filename,'.') + 1);
From the code, we can see that the uploaded file name will be encrypted with md5, using the current uploaded file name concatenated with a random number from 1 to 99999, followed by a file extension.
Let's try uploading a file. The uploaded file filters out keywords like "eval", but we can bypass it by using uppercase letters. The content-type needs to be changed to an image format.
After successful upload, we cannot see the path of the uploaded file.
Based on the uploaded code, we can first upload an image. The uploaded image will be encrypted with md5, md5(1.php1).php. After uploading the image, since we don't know the path of the uploaded file, we need to guess the file name after upload, using the same md5(1.php1).php method. Let's see the specific steps:
- Put the package in Intruder and fill in an "x-forwarded-for" parameter with the content set to 127.0.0.1, and iterate over the "1" parameter.
- Next, set the payload options:
Payload type: Numbers
From: 1
To: 200
Step: 1
Iterate over 1-200 in the range of 1-99999.
Two values need to be set: payload processing. When iterating over each value, add the "1.php" prefix to the file name being uploaded, and then encrypt its content (1.php[1-200]) with md5.
- After successful upload, the size and length are the same. At this point, we still don't know the file name after upload. Since the md5 value of 1.php[1-200] is the same, we need to brute force it again. This time, directly request the file name, /md5(1.php[1-200]). The ones that can be successfully accessed are the correct file names.
- Guess the file name after upload by directly accessing the encrypted md5 content.
The payload settings are the same as uploading files.
By distinguishing the 200 status code, we can know the file name of the upload as shown in the figure below.
After successful upload, connect with AntSword.
Supplement: 2023-07-21
The above method is a bit cumbersome at the file upload stage. There is no need to set the payload in such a complicated way. Below is a simpler solution.
- Capture the packet.
Set the payload and send the packet directly. No other payload settings are needed here. The null payload means sending the request repeatedly.
- Next, start brute-forcing the path.
Request any path with ".php" appended.
Set the payload as follows:
2000 payloads can successfully upload multiple files.