Securityoverridehacking challenge to solve the problem of thinking summary--advanced

Source: Internet
Author: User
Tags phpinfo

Continue on a securityoverridehacking challenge problem solving ideas of the work, this time the advanced to get finished. This mainly involves some of the attacks on PHP, which can be based on a deep understanding.

3 Advanced 3.1 PHP Sucks

Exploit the vulnerability caused by cross-type comparisons of = = in PHP. The ultimate goal is to $input== "0000". This is good, in PHP, any numeric string will eventually be converted to a number to compare, so input can be any 0. But the filter finally adds a regular judgment preg_match ( "/^[\d]{1,}$/D" $input ) . It means that it cannot be a pure number. Also relatively simple, using the characteristics of 0 (primary knowledge: 0 equals 0 negative numbers), so input-0 is good.

PS: A weak-class judgment rule for PHP http://php.net/manual/en/types.comparisons.php

3.2 obfuscated PHP:

Examine whether the code logic can be sorted out under the premise of confusion. There is no quick way to clean up the problem manually. After clearing the comments and semicolons, the amount of code is actually not much, and then the decoding of some of the decoding, the function of the return of the direct substitution, you can make the code logic clear. After finishing, the code logic is as follows:

<?php
Session_Start ();

$_u=array ();
$_u[0]= ' server_addquery_stringrequest_methodhttp_accept '; A string
$_u[1]= ' substr '; substr function
$_u[2]= ' Base64_decode '; Decode method

$_§§§§§§§=preg_split ('/(?! \\##\$\$\ $uu) =/', _server[' query_string ']); Can be simply understood as split by =
${"_g_1"} = UrlDecode ($_§§§§§§§[0]); Key
${"_g_2"} = _get[${"_g_1"}]; Value
if (LEVENSHTEIN (${"_g_1"},${"_g_2"}) ==0) {//parameter key and value must be the same
Validate_result (${"_g_2"});
};

function Validate_result ($result) {//value = Phpinfo (); Success (semicolon required)
if ($result = = = ' Phpinfo (); ') {
$_session["Solved_advanced_2"] = true;
Header ("location:./");
}
}

echo "Good luck. <a href= './' >back to thechallenges main page.</a><br/><i>please note so you willonly get FEEDBA CK If you solved this challenge. Wrong attempts don't generateany output at all.</i>Highlight_file (' code.php ');
?>

After that it is simple to construct a URL that meets the requirements.

3.3 Upload Bypass

Ask you to bypass filter program, upload a PHP script. General idea: 1 upload directly. php file (failed). 2 upload the. php file, but modify the ContentType in post content to Image/jpg (failed). 3 upload normal jpg file, hide php script (Linux command cattest.php>>image.jpg or use the tool to add comments, try to ensure that the image is simple or solid color, so as to avoid some image characters interfere with PHP parsing). Through the third step, the problem is solved.

The next step is to look at how to execute the php script in jpg, and after reviewing the data and experimenting, only the two methods are more feasible:

· Includeu or require this JPG file in another PHP file
<?php
Include (' images/'. $_get[' test.jpg ');
Require (' images/'. $_get[' test.jpg ');

Include (' images/'. $_post[' test.jpg ');
Include (' images/'. $_post[' test.jpg ');

Include (' test.jpg ');
Require (' test.jpg ');
?>

· Set the JPG format in/etc/apache2/mods-available/php5.conf to PHP
<filesmatch ". jpeg" >
SetHandler application/x-httpd-php
</FilesMatch>
Modify the. htaccess principle (Simple try, no success)

Since the problem already mentions the existence of the local file Inclusiong, it is very simple to use the first method to execute the PHP script, which is basically using the injected method to control the variables in the include or require, so that the script executes.

3.4 Local File Inclusion/waf Bypass

Well, 3.3 of the research played a role, 3.4 is the request to execute the uploaded file (file path in the 3.3 upload success has been given, my is/challenges/advanced/uploads/ac3sk9j.jpg, do not know whether everyone is the same). As already mentioned in 3.3, PHP can be used to execute PHP code in JPG if there are functions such as include or require. Enter 3.4, observed after the URL with a parameter page, try to modify, as expected, did give the error hint: Test.phpcannot be found. The goal is clear, modify the page parameter, and specify the path to the JPG file. Using the path, the. Represents the upper level folder, it is easy to write relative paths to: /uploads/ac3sk9j.jpg. Try the request, the result is: Uploads/ac3sk9j.jpg.phpcannot be found. There are two points unsatisfactory: 1). /filtered out; 2) the file name is Ac3sk9j.jpg.php instead of ac3sk9j.jpg. Then find the solution separately:

· For a particular string to be filtered, the simplest of these is string replace. The corresponding crack method is very simple, it is good to put together a string similar to AABB. When the intermediate ab is filtered, a new AB is generated. It's written here ....//On it. So the StringReplace filtration method is the same as No.

· . php suffix problem. It is clear that the Web site adds a. php suffix to any request path. Google has a bit of a bypass strategy, there are two main: 1) Take advantage of the file path maximum length of 4096bytes, and then by adding any/. To construct a very long file path. Think of, so long URL estimate directly will be intercepted by the server returned 414, so there is no attempt; 2) use the string terminator in C, before. php to add a terminator, indicating truncation. It is common to take%00 for example, but tried a bit unsuccessful. Later, in an example, it was found, and succeeded.

This problem is also successful here. In the process of finding information, the LocalFile inclusion of the vulnerability to learn a new thing. on how to write a file with a script, in addition to directly upload files, you can also use the server to input user information into the file process, write a script. For example, the server may log access requests for useragent (/proc/self/environ), URL (access.log), or login username password wait for a log file, and this information can be controlled by the attacker (useragent and URLs appear to be recorded by the Apache server, the path has been written, of course, depending on the configuration, the path may vary). So in this case, only need to modify the corresponding value, to the server to initiate the request, the PHP script has been written to the server a file, the next only need to execute.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Securityoverridehacking challenge to solve the problem of thinking summary--advanced

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.