PHP - file_put_contents file manipulation

Question

I'm trying to write a PHP file on a server and to bypass the extension in the end.

This is the PHP file - 1.php:

<?php
file_put_contents("folder\\".$GET['file'].".PNG",$_GET['content']);
?>

I'm trying to bypass the PNG extension and to write a PHP file. like this:

1.php?file=attack.php%00&content=blabla

but it's not working

I tried:

Null char (%00,%u0000)

Long filename

CRLF chars

space char

?,&,|,>,<,(,),{,},[,],\,!,~,:,; chars

backspace char

../

php protocol

php://filter/write=convert.base64-decode/resource=1.php

(will not work because the folder in the begging)

Anyone have any idea?

Thanks!

Answer 1

There are several fundamental problems here;

• This code is very unsafe, I could set get as ../../1.php and overwrite this file to do whatever I want. It appears that you're doing some security testing however, so I guess that may be the problem
• php is not a protocal, it's a language so php://anything should not work.
• folder\\ doesn't make sense, what is this supposed to be/do?

That said though, for educational purposes prepending ../../ should allow you to escape out of the folder/ directory.

For example if this is in /home/Zak/mytest/ with the expectation of a directory within that called folder designated to store these PNG files, then a file of ../../zak_homedir should put a file at /home/Zak/zak_homedir.PNG due to relative path resolution.