Let us see the source code to find what kind of vulnerability is this Source Code: <? Yeah your guess is right !!! It is SQL Injection Vulnerability.
First I tried 1' or '1'='1' # in username field and I got access denied error message ... After looking into the code once again I found that we need to use double quotes instead of single codes to execute our query. Then I tried 1" or "1"="1" # in username field and I got the password for next level . :) Successful login ! The password for natas15 is AwWj***cvxr****gZ9J5****kmxdk*** Vulnerability: https://www.owasp.org/index.php/SQL_Injection Remedy : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
0 Comments
We need to upload an image which is less than 1kb and it provides link to see that image after successful uploading.But this time they resolved remote file inclusion attack by adding some secure function. Let us see whether it is totally secured or not :) Click the view Source code link given in the main page Then You can notice the following code <? The difference between above code and previous level's code is checking the file signature (aka "Magic words" using exif_imagetype function.After reading about the file signature in following link. I understood little bit on signature of the files so to bypass this function i took image which is less than 1kb and I opened it in Notepad++ and added my PHP script at end of the file. <?php I added that echo line to differentiate our password from image data. I uploaded the file and followed the same process which I did in previous level to change the extension to PHP.
Now I got the hyper like of my PHP script, Then i visited that page and got the password for next level. <Existing file data>==================="Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 Natas14 : Lg**M10****PyVBk****mbllQ5L6**** We need to upload an image which is less than 1kb and it provides link to see that image after successful uploading. Solution : Click the view Source code link given in the main page Then You can notice the following code <?php In the above, it explains that makeRandomPathFromFilename function used to get the date of the and its extension and it uploads the file in /upload/ directory with some random name created by genRandomString function.And it provides the hyper link for the following file which h is uploaded right now. I created a small PHP code to display password from file /etc/natas_webpass/natas14 <?php And i uploaded following php file , while upload turn on tamper data add on in Firefox to change the extension of the file to .php in POST data. Because in POST data it used to send .jpg as default file extension.
Now you can see the password for the next level. Natas 13 : jmLTY0qi****aKc9341c****BJv7M*** Vulnerability: http://en.wikipedia.org/wiki/Remote_File_Inclusion Remedy: http://www.esecurityplanet.com/browser-security/how-to-prevent-remote-file-inclusion-rfi-attacks.html Solution: Check out the view Source code link given in the main page Then You can notice the following code <? loadData function is used to load and verify all the datas like showpassword and bgcolor using XOR Encrypt Function. saveData function is used to set the cookie value using XOR_ENCRYPT function . saveDatae functions uses two input to encrypt . One is $defaultdata and another one is Skey . $defaultData XOR Skey ==> $encrypted date (Cookie Vaule) So, Sencrypted data XOR $defaultData ==> Skey And i wrote the following code using this concept and got the key <?php Output (Key) :: qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq And another code to Retrieve the exact cookie value to get natas12 password. <?php Cookie value for the value password="yes" ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
And i changed the cookie value (Data) using cookie manager+ addon in firefox and i retrived the password for next level The password for natas12 is EDXp****6wLKHZy1****UZk0RKfL**** Natas 9: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? Seeing passthru("grep -i $key dictionary.txt"); this line we can understand that without sanitation the command is executing . So this is code is vulnerable to Command Injection . So i tried some commands in the input field . For example : I tried ; cd /etc/; dir; in input field and I can see all the file names in /etc. So i concluded it that command injection works. So as main page says "All passwords are also stored in /etc/natas_webpass/" i tried executing cat command and retrived my next level password. Input string to get key is ; cat /etc/natas_webpass/natas9; Natas 10 : W0mMh****nG8dc****qvk3JA9lGt**** Vulnerability: Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution. The results of a code injection attack can be disastrous. Remedy: http://stackoverflow.com/questions/1205889/how-to-prevent-code-injection-attacks-in-php Natas 10: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? This time they filtered symbols like ; , |, $ using Preg_Match function ... But Still code or command injection vulnerability exists. So we need to find a way to access the file without these symbols..
After long searc in google i found some idea in grep command. so we extract whole data from the folder where we use grep. For example if we use grep .* /floder1/floder2/ then it reveals all data from the all files inside floder2 . so i gave input as .* /etc/natas_webpass/natas10 and i got the key :) natas11 : U82q****MQ9xuF****YX61s7OZD9**** Natas 8: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? Seeing this code i wrote the following simple PHP code to get back the secret from $encodedSecret variable. <?php And i ran this code in http://writecodeonline.com/php4/ then I got Secret as oubWYf2kBq
And i submitted this secret and i got the key for next level The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl |
Details
Categories
All
Archives
June 2017
Vivek N
An idea can change your life :) |