Post

Websec.fr level 25 - baby steps

Posted Updated
By 2 min read

The level

image

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

// source.php
<?php
if (!isset($_GET['page'])) {
  header('Location: http://websec.fr/level25/index.php?page=main');
  die();
}
?>
<!DOCTYPE html>
<!-- A smooth level by kkadosh -->
<html>
<head>
  <title>#WebSec Level TwentyFive</title>
  <link rel='stylesheet' href='../static/bootstrap.min.css' />
</head>
  <body>
      <div id='main'>
          <div class='container'>
              <div class='row'>
                  <h1>LevelTwentyFive</h1>
              </div>
              <div class='row'>
                  <p class='lead'>
                        You can <cite>include any page so long as it is <s>black</s> not the <code>flag.txt</code> one</cite>. As usual, the source code is <a href='source.php'>free</a>.<br>
                  </p>
                    <!--
                        Yeah, the webserver is configured so that you can't directly access .txt files :)
                        And no, PHP wrappers aren't the only way to have fun!
                    -->
              </div>
          </div>
          <div class='container'>
              <div class='row'>
                  <label for='user_id'>Enter the page you want to include:</label>
                  <form name='username' method='get'>
                      <div class='form-group col-md-2'>
                          <input type='text' class='form-control' id='page' name='page' value='main' required>
                      </div>
                      <div class='col-md-2'>
                          <input type='submit' class='form-control btn btn-default' name='send'>
                      </div>
                  </form>
              </div>
            <p class='well'>
                  <?php
                  parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);
                  foreach ($query as $k => $v) {
                      if (stripos($v, 'flag') !== false)
                          die('You are not allowed to get the flag, sorry :/');
                  }

                  include $_GET['page'] . '.txt';
                  ?>
        </p>
          </div>
      </div>
  </body>
</html>

OK, I am looking at the end loop

1
2
3
4
5
6
7
8
9
10
11

<?php

parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);

foreach ($query as $k => $v) {
        if (stripos($v, 'flag') !== false)
            die('You are not allowed to get the flag, sorry :/');
        }

    include $_GET['page'] . '.txt';
?>

So, it parses the url, and checks for every value in the url if it has the name flag in it.

an example of how it would work

image

Now, something interesting you need to know about parse_url(), it might a broken array if the url is fucked a little bit. Lets see how !

image

So, what do we have here ? a malformed url will return false for parse_url(), GOOD ! meaning we can just go to that url, and the GET request will reach out to the flag page for us.

https://websec.fr///level25///index.php?page=flag

image

The Flag !!! thanks for reading

Write-ups
Websec.fr
This post is licensed under CC BY 4.0 by the author.