banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

A file upload question from cisp-pte

#渗透测试#考证540
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a guide on how to solve a file upload challenge in the CISP-PTE platform. The challenge involves guessing the path of the uploaded file by brute-forcing the file name. The uploaded file names are encrypted using MD5, with the current file name concatenated with a random number between 1 and 99999, followed by the file extension. The challenge also filters out certain keywords, but they can be bypassed using uppercase letters and changing the content-type to an image format. The guide provides two methods for solving the challenge: one involves using the Intruder tool to iterate through possible file names and their MD5 hashes, and the other involves simply sending repeated requests with null payloads. After successfully uploading the file, the guide explains how to determine the file name by sending requests to the MD5 hash of the file name. Finally, it mentions that the second method is simpler and does not require complex payload settings.

Translate the following text to English language:

Take a file upload question from cisp-pte, and guess the path of the uploaded file by brute force.

Open the question, as shown below:

image

The code for the file upload section is provided:

$filename = $files["name"];
$randnum = rand(1, 99999);
$fullpath = '/' . md5($filename.$randnum).".".substr($filename,strripos($filename,'.') + 1);

From the code, we can see that the uploaded file name will be encrypted with md5, using the current uploaded file name concatenated with a random number from 1 to 99999, followed by a file extension.

Let's try uploading a file. The uploaded file filters out keywords like "eval", but we can bypass it by using uppercase letters. The content-type needs to be changed to an image format.

image

After successful upload, we cannot see the path of the uploaded file.

Based on the uploaded code, we can first upload an image. The uploaded image will be encrypted with md5, md5(1.php1).php. After uploading the image, since we don't know the path of the uploaded file, we need to guess the file name after upload, using the same md5(1.php1).php method. Let's see the specific steps:

  1. Put the package in Intruder and fill in an "x-forwarded-for" parameter with the content set to 127.0.0.1, and iterate over the "1" parameter.

image

  1. Next, set the payload options:

Payload type: Numbers
From: 1
To: 200
Step: 1

image

Iterate over 1-200 in the range of 1-99999.

Two values need to be set: payload processing. When iterating over each value, add the "1.php" prefix to the file name being uploaded, and then encrypt its content (1.php[1-200]) with md5.

image

  1. After successful upload, the size and length are the same. At this point, we still don't know the file name after upload. Since the md5 value of 1.php[1-200] is the same, we need to brute force it again. This time, directly request the file name, /md5(1.php[1-200]). The ones that can be successfully accessed are the correct file names.

image

  1. Guess the file name after upload by directly accessing the encrypted md5 content.

image

The payload settings are the same as uploading files.

By distinguishing the 200 status code, we can know the file name of the upload as shown in the figure below.

image

After successful upload, connect with AntSword.

image

Supplement: 2023-07-21

The above method is a bit cumbersome at the file upload stage. There is no need to set the payload in such a complicated way. Below is a simpler solution.

  1. Capture the packet.

image

Set the payload and send the packet directly. No other payload settings are needed here. The null payload means sending the request repeatedly.

image

  1. Next, start brute-forcing the path.

Request any path with ".php" appended.

image

Set the payload as follows:

image

2000 payloads can successfully upload multiple files.

image

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.