https://gist.github.com/as3617/fa06307b5c1bcc002e3b646bfcc3500d
exploit code
- disabled_functions are except putenv, mail
- clean_up option for session is off
- When the UPLOAD_PROGRESS meets clean_up option as off that session file will have the path for the uploaded file.
- PHP clean tmp file at the last of execution.
- So, if PHP gets crash, the tmp file will not be erased ->
https://bugs.php.net/bug.php?id=80246
- So, if PHP gets crash, the tmp file will not be erased ->
- upload dynamic library and get Reverse shell
Thanks to sqrtrev!!
'ctf writeup' 카테고리의 다른 글
corCTF 2021 - mathme writeup (0) | 2021.08.24 |
---|---|
SSTF 2021 - poxe_center writeup (0) | 2021.08.17 |
0CTF/TCTF 2021 Quals - 1linephp [web] (0) | 2021.07.05 |
zh3r0 CTF v2 Web writeup (1) | 2021.06.06 |
m0leCon 2021 Teaser Writeup (0) | 2021.05.18 |