hackthissite.org extbasic 6 :: Sucky Sysadmin
by Arxleol on Monday 04.01.2010, under hackthissite.org, php, tutorial
In the 6th extended basic mission, we have to use exploit of php server configured to use global variables.
Mission introduction:
This site in run by a new sysadmin who does not know much about web configuration
The script is located at http://moo.com/moo.phpAttempt to make the script think you are authed by entering the correct URI.
Here is the script (me.php):
Script we have to exploit:
<?php $user = $_GET['user']; $pass = $_GET['pass']; if (isAuthed($user,$pass)) { $passed=TRUE; } if ($passed==TRUE) { echo 'you win'; } ?> <form action="me.php" method="get"> <input type="text" name="user" /> <input type="password" name="pass" /> </form> <?php function isAuthed($a,$b) { return FALSE; } ?>
Now notice that form is passing parameters trough get method. This means that if server is not configured correctly or using global variables we can change any other variable in the code by entering it in the URL. However, before we proceed we have to exam code.
Method isAuthed always returns FALSE. Therefore we cannot enter combination of username and password that will authenticate us. The third variable $passed is in fact control variable. If this variable is set to TRUE we win. Now we have to figure out how to change URL to change variable passed to TRUE.
From introduction we know that script is located on: http://moo.com/moo.php so to pass variable trough GET we attach ?passed=somevalue. And passed will have value somevalue.
So the final URL is:
http://moo.com/moo.php?passed=TRUE
Thursday 07.01.2010 on 18:43
I simply wanted to add a comment here to say thanks for you very nice ideas. Blogs are troublesome to run and time consuming therefore I appreciate when I see well written material. Your time isn’t going to waste with your posts. Thanks so much and carry on You’ll defintely reach your goals! have a great day!
Friday 08.01.2010 on 22:25
tnx,
ax