Ready to Start Your Career?

Level 2 - A1 Injection (CTF)

bestiaNXN 's profile image

By: bestiaNXN

November 3, 2015

Level 2 - A1 Injection - CybraryThis is the Level 2 write-up of the Info Sec Institute Capture the Flag for Practical Web Hacking. I'll be going over the process I used to "Capture the Flag" and then I'll explain how the web page is vulnerable.The vulnerability on is Injection and the instructions tell me that the goal is to run phpinfo() to get information about the server.The first thing I do is test the two input fields by submitting non-number inputs. For example, I wanted to know what you get when you try adding (dog + cat). I get an error message "Invalid Operands!". That tells me they are doing input validation on the two input fields. I'm not going to be able to use these inputs.Next, I try the only other input that is being sent to the server the operator. To test it, I simply open the dev tools in my Chrome browser by pressing F12. In the Elements tab, I can see the HTML, so I find the dropdownlist and change the value of "+" to "=". When I try and calculate the result, I get another error message: "An error occurred when making the calculation :(". Since this is a generic error, I can assume that they probably aren't trying to do any input validation on the operator.Since the code is on the server side, I can't analyze the code for flaws. However, since I know that one of the inputs is not being validated, I can try and speculate how the code could be written with a vulnerability in it.So, next I try and reverse engineer how the server side code is written. Since I know that the operands can't be exploited, I focus on my only option the operator.My first attempt to reverse engineer the calculator involved using if statements to do the calculation (see code example below). But, this didn't seem to have any vulnerabilities in it.if ($operator == "+") {$result = $operand_one + $operand_two;}echo 'The result of ' . $operand_one . ' ' . $operator . ' ' . $operand_two . ' is: ' . $result;For the code to be vulnerable, it would need to use an unsafe method and I just happen to know of one for PHP and that just so happens to be eval(). My second attempt to reverse engineer the calculator using eval() looks like this:eval("$result = $operand1 $operator $operand2;");echo 'The result of ' . $operand_one . ' ' . $operator . ' ' . $operand_two . ' is: ' . $result;Now if the application does, in fact, use the eval() method to perform the calculation in a similar manner to the code above, then I should be able to escape out of the calculation by using a semicolon (;).So, if I submit ";phpinfo();" as my operator, then I should be able to get back the information about the server I wanted. I could also run whatever other PHP code I wanted. This indeed works, so I know they're using an unsafe method in their code.This example had two weaknesses with the way the code was written that created this vulnerability. If these weaknesses were by themselves in this example, then they would be just that weaknesses and not be exploitable. The first weakness being the operator input was not validated. The second weakness being the use of a dangerous method the eval() method. If you still wanted to use eval in this case, then you need to validate the operator by making sure it only accepts operators and that a user can't put whatever they want. Thanks and I hope this was helpful!
Schedule Demo