WEBSEC Level 8

Challenge description

Bypassing Security Checks

Initial analysis

$uploadedFile = sprintf('%1$s/%2$s', '/uploads', sha1($_FILES['fileToUpload']['name']) . '.gif'); if (file_exists ($uploadedFile)) { unlink ($uploadedFile); } if ($_FILES['fileToUpload']['size'] <= 50000) { if (getimagesize ($_FILES['fileToUpload']['tmp_name']) !== false) { if (exif_imagetype($_FILES['fileToUpload']['tmp_name']) === IMAGETYPE_GIF) { move_uploaded_file ($_FILES['fileToUpload']['tmp_name'], $uploadedFile); echo '<p class="lead">Dump of <a href="/level08' . $uploadedFile . '">'. htmlentities($_FILES['fileToUpload']['name'])

tl;dr

STEP 1: Choose a gif file to be uploaded STEP 2: Intercept in Burp Suite STEP 3: Keep the GIF magic number(GIF87a) STEP 4: Add a php code to show flag.txt source <?php show_source('flag.txt');?> STEP 5: GIF89a

OUTPUT: WEBSEC{BypassingImageChecksToRCE}

Flag

FLAG: WEBSEC{BypassingImageChecksToRCE}

For further queries, please DM me on Twitter: https://twitter.com/gopika-subramanian.