Description http://184.108.40.206:50080 http://220.127.116.11:50081 http://18.104.22.168:50082 The three servers are the same, you can choose any one. server will be reset every 10 minutes.
this chall is almost same
<?php ($_=@$_GET['yxxx'].'.php') && @substr(file($_),0,6) === '@<?php' ? include($_) : highlight_file(__FILE__) && include('phpinfo.html');
but some code is different, we need to find new exploit
We can upload arbitrary session file using PHP_SESSION_UPLOAD_PROGRESS and include session file using various wrapper.
But in this chall, we need to bypass
.php, so we can imagine 2 ways for bypass.
1. phar wrapper 2. zip wrapper
First i use phar wrapper. but it's impossible!
Then, Maybe we can use second way for exploit.
by accident, i found this writeup and it has very useful information.
zip file is not required for starting with PK signature.
If we define proper offset for the zip file, there is no need to start with zip file signature at start of file.
And we can simply calculate the ZIP offsets by hand!
we need to change two offset in zip.
Local Header Offset in
Central Directory File Header and
Central Header Offset in
End of Central Directory Record.
These offsets specify the starting location of the header of the zip file. So we can unzip our payload independent of session prefix.
session.upload_progress.cleanup is enable. so we need to using race condition.
then we can get flag!
My exploit :