Level 2 – A1 Injection (CTF)

November 3, 2015 | Views: 3522

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This is the Level 2 write-up of the Info Sec Institute Capture the Flag for Practical Web Hacking. I’ll be going over the process I used to “Capture the Flag” and then I’ll explain how the web page is vulnerable.

The vulnerability on http://ctf.infosecinstitute.com/ctf2/exercises/ex2.php is Injection and the instructions tell me that the goal is to run phpinfo() to get information about the server.

The first thing I do is test the two input fields by submitting non-number inputs. For example, I wanted to know what you get when you try adding (dog + cat). I get an error message “Invalid Operands!”. That tells me they are doing input validation on the two input fields. I’m not going to be able to use these inputs.

Next, I try the only other input that is being sent to the server the operator. To test it, I simply open the dev tools in my Chrome browser by pressing F12. In the Elements tab, I can see the HTML, so I find the dropdownlist and change the value of “+” to “=”. When I try and calculate the result, I get another error message: “An error occurred when making the calculation :(“. Since this is a generic error, I can assume that they probably aren’t trying to do any input validation on the operator.

Since the code is on the server side, I can’t analyze the code for flaws. However, since I know that one of the inputs is not being validated, I can try and speculate how the code could be written with a vulnerability in it.

So, next I try and reverse engineer how the server side code is written. Since I know that the operands can’t be exploited, I focus on my only option the operator.

My first attempt to reverse engineer the calculator involved using if statements to do the calculation (see code example below). But, this didn’t seem to have any vulnerabilities in it.

if ($operator == “+”) {

$result = $operand_one + $operand_two;

}

echo ‘The result of ‘ . $operand_one . ‘ ‘ . $operator . ‘ ‘ . $operand_two . ‘ is: ‘ . $result;

For the code to be vulnerable, it would need to use an unsafe method and I just happen to know of one for PHP and that just so happens to be eval(). My second attempt to reverse engineer the calculator using eval() looks like this:

eval(“$result = $operand1 $operator $operand2;”);

echo ‘The result of ‘ . $operand_one . ‘ ‘ . $operator . ‘ ‘ . $operand_two . ‘ is: ‘ . $result;

Now if the application does, in fact, use the eval() method to perform the calculation in a similar manner to the code above, then I should be able to escape out of the calculation by using a semicolon (;).

So, if I submit “;phpinfo();” as my operator, then I should be able to get back the information about the server I wanted. I could also run whatever other PHP code I wanted. This indeed works, so I know they’re using an unsafe method in their code.

This example had two weaknesses with the way the code was written that created this vulnerability. If these weaknesses were by themselves in this example, then they would be just that weaknesses and not be exploitable. The first weakness being the operator input was not validated. The second weakness being the use of a dangerous method the eval() method. If you still wanted to use eval in this case, then you need to validate the operator by making sure it only accepts operators and that a user can’t put whatever they want.

 

Thanks and I hope this was helpful!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
8 Comments
  1. Great Stuff !

    Cheers

  2. Really great to see a real ‘whitehat’ mindset! 😉

  3. very nice. new to me.

  4. fairly good steps

  5. Good writeup.
    I like how you clearly explain the steps as well as your thinking/approach to be able to recreate the exploit.

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel