CyberTalents | Hashable
Writeup of an medium-rated Web Exploitation Challenge from CyberTalents
Challenge Name
Challenge Description
- A famous enterprise blog was hacked, can you figure out how it was hacked?
Write-Up
Navigating to the provided URL, you will be presented with the following web page:
- There is a
contact
page, where a user can input his Name, email address and the Message he wants to send.
- There are some posts in
/post.php
. Each post is referred to with an ID:
SQL Injection - Failed:
At first, I injected the classic '
to the id
parameter (http://cybertalentslabs.com/post.php?id=1'
) to see if I can trigger an error and it was the case:
I tried to manually exploit this SQL Injection vulnerability but I failed. I then decided to test it with SQLmap
, but unfortunately I got nothing. It’s most likely a rabbit hole or something like this.
Code Injection in /contact.php:
In /contact.php
, you can enter a Name
, email address
and a Message
you want to send to the administrators.
The first thing I tried is injecting the classic XSS payload <script>alert('XSS')</script>
in Name
and Message
field, but nothing popped up. After that, I injected the same payload but prepended with "
to escape a double quote symbol if there is any, and I got an interesting error message from the server:
- The error message indicates that there is a
Syntax Error
in theeval()
function.
eval() - Security Risk
The eval()
function is used to dynamically evaluate and execute a string as PHP code at runtime.
For example:
1
2
$info = 'phpinfo();'
eval($info)
- Running this code, will result to the execution of
phpinfo()
Since the eval()
function allows the execution of arbitrary code, it can be a security risk if the input is not properly validated.
If user-input is directly passed to eval()
, it can lead to Code Injection
vulnerability.
phpinfo():
First of all, I injected the payload "phpinfo();
into the Message
field, and I got the following error message:
- This
Syntax Error
indicates that a closing parenthesis)
is expected and notphpinfo()
.
To get around this error message, I injected the payload ")phpinfo();
, in which I placed the closing parenthesis )
before phpinfo();
- As you can see, we managed to get around the error, but we got another one to deal with.
At this point, I’m assuming that, in the backend, there is a function inside eval()
that handles user input. In other words, in order to inject phpinfo()
and be executed by eval()
, we need to escape the function and then place our injected PHP code (which is phpinfo();
) separated with a semi-colon ;
in order to get something like this:
1
eval('randomfunction(); phpinfo();')
- Here,
eval()
will execute the function as well asphpinfo()
For example, if the eval()
function is as follows:
1
eval('randomfunction("$_POST['name']", "$_POST['email']", "$_POST['message']")')
Then, we need to inject something like this:
1
"); phpinfo(); //
so that eval()
becomes like this:
1
eval('randomfunction("$_POST['name']", "$_POST['email']", ""); phpinfo(); //")')
- In this case,
eval()
will execute therandomfunction()
with the first two parameters$_POST['name']
and$_POST['email']
. However since the third parameter$_POST['message']
will be empty. After thateval()
will executephpinfo();
while commenting the rest of the functionrandomfunction()
Flag:
After confirming the existence of code injection vulnerability, we can execute OS commands on the server via eval()
using the system()
function:
- Executing
id
via the PAYLOAD:"); system('id'); //
- Executing
ls
via the PAYLOAD:"); system('ls'); //
- Reading the content of
flag_23894ABCX1.txt
via the PAYLOAD:"); system('cat flag_23894ABCX1.txt'); //