Sharif University CTF Quals – Web 100
This was a classic command injection
vulnerability. Command injection involves injecting your user input
into an OS command, issued by the application. The way it was being
handled was insecure.
The first thing to do was an exploit
an LFI (Local file inclusion) vuln on the site, which lets us view
the PHP code of files in the same directory. Sadly I forgot how I did
this, but luckily at least took a screenshot of the code. Here is the
code of dragon.php – the page which has the command injection
vulnerability.
Studying that code shows you how the
$command variable is constructed. And that it is possible to break
out of it quite easily. It also allows you to pass an additional
parameter called debug. After doing both and poking around a bit, I
was able to come up with a final payload which looked like this.


 
 
:) ko hiểu
ReplyDeleteko hiểu ở đâu ban
ReplyDelete