Very quick little write-up:
Get a friend account using xss in svg:
Now you can upload a small file (20 characters) without any blacklisted keywords (system, exec, `, …) or blacklisted ending (php, .ht*, …). We noticed the header
X-Powered-By: PHP-fpm/5.6 so we uploaded a
.user.ini file. This is a configuration INI file that works on a per-directory basis.
auto_append_file will automatically parsed the given file after the main file. So we can upload a 20 characters php file called xx. As this is to short for a real shell (is it? usort magic maybe?) we copy an image with php code in it to a shorter name, so we can auto_append include it. This way we do not have to deal with the character limit and keyword blacklist.
xx file will be included:
1.jpg is an image with as a comment:
Now we browse to
upload/[md5]/index.php, so that 1.jpg will be copied to 1 and we can update the
.user.ini file to point to it. Now we can execute code like this:
Very interesting php-golf challenge, i had hoped i would find a 20 character full shell so this would work without the pictures. Shortest i could come up with was:
(24 characters) WORK IN PROGRESS!