Beyond
Checking how the web app is configured, and how it was exploited it because it was essentially a blind attempt
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ cat index.php
<?php
require 'vendor/autoload.php';
function upload() {
$output = "";
if (isset($_FILES["imageUpload"])) {
$filepath = $_FILES['imageUpload']['tmp_name'];
$fileSize = filesize($filepath);
$fileinfo = finfo_open(FILEINFO_MIME_TYPE);
$filetype = finfo_file($fileinfo, $filepath);
if ($fileSize === 0 || $fileSize === false) {
return "The file is empty.";
}
if ($fileSize > 2097152) {
return "The file is too large (max 2MB)";
}
$allowedTypes = [
'image/png' => 'png',
'image/jpeg' => 'jpg'
];
if (!in_array($filetype, array_keys($allowedTypes))) {
return "File not allowed (only jpg/png).";
}
$filename = basename($filepath);
$extension = $allowedTypes[$filetype];
$targetDirectory = __DIR__ . "/uploads";
$newFilepath = $targetDirectory . "/" . $filename . "." . $extension;
if (!move_uploaded_file($filepath, $newFilepath)) {
return "Error during upload.";
}
return exiftool_exec($newFilepath);
}
}
$output = upload();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
<meta name="description" content="" />
<meta name="author" content="" />
<title>MetaView</title>
<link href="css/bootstrap.min.css" rel="stylesheet" />
<link href="css/styles.css" rel="stylesheet" />
</head>
<body>
<div id="main_container" class="container h-100 d-flex">
<div class="jumbotron my-auto">
<h2>MetaView</h2>
<p>Upload your image to display related metadata.</p>
<form action="index.php" method="post" enctype="multipart/form-data">
<div class="input-group">
<div class="custom-file">
<input type="file" name="imageUpload" id="imageUpload" class="custom-file-input"onchange="this.nextElementSibling.innerText = this.files[0].name">
<label class="custom-file-label" for="imageUpload">Choose file..</label>
</div>
<div class="input-group-append">
<button type="submit" name="submit" class="btn btn-primary">Upload</button>
</div>
</div>
</form>
<?php if(!empty($output)): ?>
<div class="mt-3" id="output_data">
<pre><?php echo $output; ?></pre>
</div>
<?php endif; ?>
</div>
</div>
</body>
</html>This is the index.php file of the web application
The upload() function indeed contains a few filters checking the following
- MIME
- Extension
- Size
The exiftool_exec() function appears to be responsible for executing exiftool
However, the function is not defied in this script.
The index.php file also requires a script located at vendor/autoload.php
vendor/autoload.php
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ cat vendor/autoload.php
<?php
// autoload.php @generated by Composer
require_once __DIR__ . '/composer/autoload_real.php';
return ComposerAutoloaderInit0ab058e09de372062acb6e5bbd55b445::getLoader();The vendor/autoload.php file is generated by Composer, a dependency manager for PHP
The file also requires the Composer’s autoloader at /composer/autoload_real.php
Exiftool
root@meta:/var/www/dev01.artcorp.htb/metaview# cat lib/ExifToolWrapper.php
<?php
function exiftool_exec($newFilepath) {
return shell_exec("exiftool " . escapeshellarg($newfilepath) . " --system:all --exiftool:all -e");
}
?>The exiftool_exec() function is defined in the ExifToolWrapper.php file located at the /metaview/lib/ directory
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ exiftool -ver -v
ExifTool version 12.23
Perl version 5.028001 (-C0)
platform: linux
optional libraries:
archive::Zip (not installed)
compress::Zlib 2.074
digest::MD5 2.55
digest::SHA 6.01
io::Compress::Bzip2 2.074
time::Piece 1.3204
time::Local 1.25
unicode::LineBreak (not installed)
io::Compress::RawDeflate 2.074
io::Uncompress::RawInflate 2.074Perl version 5.028001 (-C0)