Write-up piapiapia(6) – 0ctf 2016 Quals

Firstly, Thanks for Phieu Lang, idol Law.io and “meepwn.CLGT” to hold boot camp and capture the flag together. We finish with 41 point and rank 12th. scoreboard

Start with piapiapia(6), we have  Source code, after read and built localhost completely, I realize we can register, login, update information. But mode register, login and update information are filter carefully, that should be very difficult to Inject or XSS. But we could be easily to recognize something can be happen in avatar image upload. When we upload image, it ‘s really have no method to filter content and only modify this image with filename_tosave = md5(filename_upload). Exactly we shouldn’t post php shell because it can’t be execute. But not for Javascript. I try to upload image with content Javascript alert(‘xam’) and something fun happen ^_^.Capture.PNG

I decide to make a shell Javascript to create a file php to call $flag from config.php.
SHELL

But it doesn’t work. Maybe this file do not have permission to create.

Let try to login with ‘admin’.

from source code, This can’t be easily to know this table only have 2 column ‘username’ and password.

Capture.PNG

Try to log in with an account (user:password) = (admin:admin) , it’s fail. Capture.PNG

Capture

But looking carefully, it no check after filter. It’s mean we can bypass login with register.

Something I found from my idol “Tsu”: “admin\000” ~ “admin”.

I try to register with an account (“admin\000″:”admin”) and then login with (“admin”:”admin”). Successful. Yeah, I got ‘admin’ account !! ^.^!

Let update information with Javascript shell. Log out and waiting for the BOT check my profile (‘admin’ is BOT).

Finally We have the flag. Bravoh!!Capture

Suddenly, someone check this BOT, amazing !!!

CaptureCapture1.PNG

Because of The Server was brought down, so everything I do only in localhost.

If you see any problem, please leave comment below!

Thanks for reading.

Advertisements

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s