| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
- LD_PRELOAD
- 2019 화이트햇 writeup
- ctf web writeup
- ctf php
- 정보보호병 면접
- CTF
- 파일 업로드 ld_preload
- 문화상품권 매크로
- 화이트햇 writeup
- 문화상품권 핀번호 자동등록
- file_upload bypass
- ctf php eval
- CTF writeup
- 육군 정보보호병
- webhacking
- 상품권 매크로
- 파일 업로드 bypass
- file upload ld_preload
- file upload vulnurability
- 사이버작전 경연대회 writeup
- 정보보호병 면접 질문
- file upload ld_preload mail
- 2019 사이버작전
- 파일 업로드 취약점
- 2019 사이버작전 경연대회
- 컬쳐랜드 매크로
- 2019 화이트햇
- 정보보호병 면접 후기
- 정보보호병 면접 준비
- 2019 사이버작전 경연대회 writeup
- Today
- Total
Blog to Blog
[WebHacking] File Upload Vulnerability - Various Attacking Ways with LD_PRELOAD 본문
[WebHacking] File Upload Vulnerability - Various Attacking Ways with LD_PRELOAD
kookhh0827 2019. 8. 20. 17:23In the last post, i introduced to you attacking with LD_PRELOAD environment variable and php MAIL function.
In this post, i'm gonna show you some other attacking ways in addition to MAIL function.
FIRST - Using other mail function except php MAIL function
But except basic mail() function, we need to install those.
We can use mail() without any additional installation, but it requires 'sendmail' to use it in practice.
But to attack with IMAP functions, it must be installed on the server.
After installation IMAP, the complie option on the above has to be set.
We can check phpinfo to find if it's available.
In the Configure Command of phpinfo, we can check things available.
IMAP is available in the test server, so i'll show you the example.
<?php
imap_mail("a","a","a","a");
?>
I will make php file like the above and check it by using strace.
Same with mail() function, it executes execve("/bin/sh").
Second - Using error_log
one of the PHP functions, error_log, is function used to record error on the server.
But if we change "$message_type", we can send the error message by mail service.
error_log([message], 1, [mail address])
If we use error_log like this, it tries to send it as a mail.
So we can guess it will work like mail() function.
Let's actually check it out using starce.
<?php
error_log("test",1,"test@test.test");
?>
It executes 'execve'.
Therefore, we can attack using error_log too.
Third - Using ImageMagick
If we open PostScript type file(.pdf, .ps, .eps, ...),
to interpret this,
it executes ghostscript(like '/usr/bin/gs') by execve.
But nomally, for security reasons, those types are not availble in ImageMagick.
(Based on ImageMagick 3.4.3RC2)
But if invalid .eps file is opened by ImageMagick, we can bypass that security check
and execute execve("/usr/bin/gs").
This was used in [Google CTF 2019 - Wallbreaker Easy].
I recommend you to check the writeup about it uploaded on CTFTime.
Fourth - Another 'may be possible' ways
In the other ways, it may be possible to exploit, if we could induce it to use execve.
And, if there is a external function that some special PHP functions use,
we can overwrite that function to exploit, too.
I will update this post when i found some other ways.
Please let me know in the comments if there is anything wrong in the post or something to be added.
Thank you for reading.
