Wednesday, September 12, 2012

Solution for bright-shadows.net : Exploit 02 Analyze This 1

Solution for bright-shadows.net : Exploit 02 Analyze This 1

This is the link to the original challenge http://www.bright-shadows.net/challenges/exploits/exploit_analyse1/index.php
However, you will need to register before you can make an attempt to solve this.


Tools Used: ---

This challenge is about Directory Traversals.

There are 2 scripts and the goal is to supply a input for the GET parameter of url so as to gain access to /user/www/index.php

Let's take a look at the first script
$url   = str_replace("../","",$_GET['url']);
$hfile = fopen("/user/www/challenges/$url", "r");
These 2 lines are the important part.

The script replaces all instances of "../" with "". As the fopen function starts in the challenges folder, you have to traverse 1 directory up to access the goal.

This filter can be easily bypassed by entering something like ".../...//index.php".
When the filter replaces the characters, the fopen function will open the following file:
/user/www/challenges/../index.php

Let's take a look at the second script
if((strpos($_GET['url'],"../") === false)
     AND (strpos($_GET['url'],"://") === false))){

     $hfile = fopen("$url", "r");
These 3 lines are the important part.

The script checks if the input contains any "../" or "://" character sequences. If there is, it displays an error page and aborts the opening of the file. In this case, we are unable to perform reverse directory traversal.

However, on a closer look, the fopen function directly uses the url parameter without any prefix or affix path. It is possible to get to the goal page by just entering the exact directory path "/user/www/index.php"

Enjoy =D

thegrayone

No comments:

Post a Comment