Below you can find my solution for Zippy task from Confidence Dragonsector CTF.
Proof of Concept:
Task source code:
How we get task source code?
include($page . '.php'); line we can download it using PHP wrapper
We can upload any file and it’s checked by
Unfortunately we cannot download this binary and also we don’t have access to
After few tries we notice that uploaded file needs to be valid
Also there couldn’t by any file with
.php extension inside this archive.
Why we need
.php file inside archive?
Because we can include it using another PHP wrapper:
Sadly we cannot combine two zip wrappers together like:
So we need to find a way to upload valid
.zip file which has one
.php file inside readably by
zip:// wrapper and this name cannot be visible for
It’s possible because each zip extractor can treat stream differently.
For this task we use
abstract.zip from Gynvael Coldwind Ten Thousand Traps.
You can download our final payload here.
When you open this file inside WinRar or Total Commander only
readme_EndFirst.txt file is visible.
But when you open it using
show.php it displays
Inside this file we have:
so we can execute any PHP command.
Final solution looks like this: