Reputation:
Where's vulnerability in this php code?
I'm solving the problems of codeshell.kr
<?php
include("./config.php");
$foo = $_GET['______foo_adm1nkyj______'];
$check = urldecode($_SERVER['QUERY_STRING']);
if(preg_match("/_| /i", $check))
{
die("no hack ~_~");
}
if($foo == "adm1nkyj")
{
echo $flag;
}
echo "<br/>";
highlight_file(__FILE__);
?>
What should I do to get the $flag?
And what is the vulnerability of those codes? Is it in $_GET? or preg_match()? I can't find it despite searching in google.
Upvotes: 2
Views: 950
Answers (2)
Reputation: 6560
The solution is this:
http://123.111.158.161/codeshell/prob2/?......foo.adm1nkyj......=adm1nkyj
It works because PHP replaces dots and spaces with underscores in the keys of the request data arrays ($_GET, $_POST, $_REQUEST, $_COOKIE).
From PHP docs:
Note: Dots and spaces in variable names are converted to underscores. For example
<input name="a.b" />becomes$_REQUEST["a_b"].
This is probably a relic from times when register globals was still a thing.
Upvotes: 4
Reputation: 1971
The issue is actually pretty simple when you know about one thing: php replace the dots in GET variables names by underscore.
The script check if there is an underscore in the GET variable and if so, dies. So it cannot reach the point where it checks for the GET variable values. But if you replace underscores by dots, it goes through.
Just call this url:
123.111.158.161/codeshell/prob2/?......foo.adm1nkyj......=adm1nkyj
Upvotes: 2
Related Questions
- Does below php code has any security risk involved?
- What is the vulnerability of this code snippet?
- Am i right in suspecting that this generated PHP code is vulnerable?
- How dangerous is this PHP code?
- What is the security issue with my code?
- Are there any vulnerabillities here? (PHP)
- Is this PHP code dangerous?
- Security considerations behind this code snippet in PHP