UIUCTF 2022
Last updated
Last updated
know that: $allowed_extensions = array(".jpg", ".jpeg", ".png", ".gif"); -> we can use ".gif" extension file. Finding around and i got this doc
We can use gifsicle
to embedd PHP code that runs the Linux command into a malicious image named output.php.gif.
Firstly, we convert png file that we received from chall to gif file
I have tried change file extension from png to gif but it doesn't work, of course.
I convert by online tool and ... that works. After we that just use this command:
Upload the output gif to server:
Go to that path and get some interesting things:
It works, try other commands to rce :
Now just use rce command and got the flag:
flag in some confusing thing like this:
Now we can rce ez by web shell
/uploads/c654036b5974c786-output.php.gif?command=ls%20-a
Thanks for reading. Have a good day !