The white box is composed of four parts:
<?
function genRandomString() {
$length = 10;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string = "";
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt rand(0, strlen($characters)−1)];
}
return $string;
}
function makeRandomPath($dir, $ext) {
do {
$path = $dir."/".genRandomString().".".$ext;
} while(file exists($path));
return $path;
}
function makeRandomPathFromFilename($dir, $fn) {
$ext = pathinfo($fn, PATHINFO EXTENSION);
return makeRandomPath($dir, $ext);
}
if(array key exists("filename", $ POST)) {
$target path = makeRandomPathFromFilename("upload", $ POST["filename"]);
if(filesize($ FILES[’uploadedfile’][’tmp name’]) > 1000) {
echo "File is too big";
} else {
if(move uploaded file($ FILES[’uploadedfile’][’tmp name’], $target path)) {
echo "The file <a href=\"$target path\">$target path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
} else {bandit25. Please enter the password for user bandit2
?>
<form enctype="multipart/form−data" action="index.php" method="POST">
<input type="hidden" name="MAX FILE SIZE" value="1000" />
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
Choose a JPEG to upload (max 1KB):<br/>
<input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
<? } ?>From the source code, it looks like we should play on the file extension. If we try to upload text.txt, the
file will be uploaded to qsd92e.jpg.
What we need to do is modify the form before sending it.
We can do that with the developer tools of every web browser.
Once we do that, we change the filename to what we like, and the file will be uploaded with our filename.
From there, we create a .php file with this code:
<?php
include "/etc/natas webpass/natas13";
?>We upload the file a go to the link displayed. Here is what we get:
jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY