Update: Below is a list of people who solved the CTF. Congrats folks!
- Dixie Flatline
- Cernica Ionut
- Dario D. Goddin
This post is the second part of the Bypassing PHP Null Byte injection protections blogpost. If you want to try the CTF first before going through the write up, head to the link first. Otherwise, keep on reading :)
The main trick described in this write-up relies on the fact that a Local File Include (LFI) vulnerability is exploitable but with some restrictions imposed by the code. Among these restrictions, there is some active filtering on Path Traversal. Name;u, an image file extension (.png) is always appended to the successfully uploaded files. In addition, the server is running an up to date version of PHP which is not vulnerable to the well known Null Byte Injection trick.
To bypass these restrictions and successfully achieve Remote Code Execution chaining through the aforementioned LFI vulnerability, one can use one of the built-in PHP Wrappers as described in detail on the next section of this write-up.
When visiting the URL of the vulnerable application one can see that it is a web app for uploading pictures:
Following the normal application flow first, I tried to understand how the application behaves and how the uploaded files are being parsed by the code with some simple tests: