The single quote ( ') is the classic injection character. Which leaves us with two interesting results where the webserver doesn’t return: pl.jpg' and pl.jpg|. You can see a few errors in the script where bash interpreted * and ? as wildcards and tried to use an existing file.Īlso curl has trouble with, and because it uses those characters to parse its -Form argument. Whipping up a quick and dirty script to fuzz the filename parameter:Įcho -n "$fn => " echo $(curl -v -F " 2>& 1 1>/dev/null \ Uploading an image named, for example, ida.7z works just fine. Trying a bunch of different files, it looks like we need a valid image, but the filename is very flexible.
Initial enumeration didn’t reveal much, the site is not much more than a basic image upload form and the backend seemed to be using python. We’re given the url which takes you to the following page: If you use Exiftool, you should update it to version 12.38 and above. Instead of injecting commands into the challenge’s code, I found I was actually injecting commands into Exiftool, a program commonly used to read, edit, (and in this case) strip images of their metadata. We are given a website that takes an image and returns it striped of it’s metadata, but we don’t have the site’s source code.Īfter a bit of web fuzzing, we find that the filename parameter is vulnerable to command injection, which we can use to get a shell on the machine and grab the flag.Īfter getting the flag, I poked around the box and realized I didn’t do the challenge the intended way. Therefore, he uses this web service to strip metadata from his photos before publishing them. Santa wants to make sure he doesn’t leak the location of his secret base through image metadata.
0 kommentar(er)
