Natas 9: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? Seeing passthru("grep -i $key dictionary.txt"); this line we can understand that without sanitation the command is executing . So this is code is vulnerable to Command Injection . So i tried some commands in the input field . For example : I tried ; cd /etc/; dir; in input field and I can see all the file names in /etc. So i concluded it that command injection works. So as main page says "All passwords are also stored in /etc/natas_webpass/" i tried executing cat command and retrived my next level password. Input string to get key is ; cat /etc/natas_webpass/natas9; Natas 10 : W0mMh****nG8dc****qvk3JA9lGt**** Vulnerability: Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution. The results of a code injection attack can be disastrous. Remedy: http://stackoverflow.com/questions/1205889/how-to-prevent-code-injection-attacks-in-php Natas 10: Solution: Check out the view Source code link given in the main page Then You can notice the following code <? This time they filtered symbols like ; , |, $ using Preg_Match function ... But Still code or command injection vulnerability exists. So we need to find a way to access the file without these symbols..
After long searc in google i found some idea in grep command. so we extract whole data from the folder where we use grep. For example if we use grep .* /floder1/floder2/ then it reveals all data from the all files inside floder2 . so i gave input as .* /etc/natas_webpass/natas10 and i got the key :) natas11 : U82q****MQ9xuF****YX61s7OZD9****
0 Comments
|
Details
Categories
All
Archives
June 2017
Vivek N
An idea can change your life :) |