2017-10-17 21:54:39 +00:00
|
|
|
status: hidden
|
|
|
|
title: Sup'Internet — Cybersécurité — HTTP
|
|
|
|
slug: e5eoGhcoh3phiD-supinternet-cybersecurite-http
|
|
|
|
robots: noindex
|
|
|
|
|
|
|
|
|
|
|
|
# Attaques via HTTP
|
|
|
|
|
|
|
|
Chaque exemple suivant vous fournit le contenu d'un fichier PHP.
|
|
|
|
|
|
|
|
Copiez simplement PHP dans un `index.php` dans un dossier vide de
|
|
|
|
votre choix et démarrez y PHP simplement avec le serveur de dev:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ php -S localhost:8080 -d zend.assertions=1
|
|
|
|
```
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
Chaque code contient un `flag`, le but est de récupérer ce flag via
|
2017-10-17 21:54:39 +00:00
|
|
|
HTTP. Évidemment vous connaissez le flag à l'avance, vous l'avez vu,
|
|
|
|
vous l'avez copié avec le code, le but reste de réussir à l'obtenir
|
|
|
|
via http://localhost:8000/.
|
|
|
|
|
|
|
|
|
|
|
|
## Injection de code
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
/* flag: sup3rs3cr3t */
|
|
|
|
|
|
|
|
if (isset($_GET['solve']))
|
|
|
|
echo eval('echo ' . $_GET['solve'] . ';');
|
|
|
|
else
|
|
|
|
echo 'Missing "solve" in query string';
|
2017-10-17 21:54:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Injection de code — protection
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
/* flag: sup3rs3cr3t */
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
if (isset($_GET['solve']))
|
2017-10-17 21:54:39 +00:00
|
|
|
{
|
2017-10-17 22:16:52 +00:00
|
|
|
$blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
|
|
|
|
foreach ($blacklisteds as $blacklisted)
|
2017-10-17 21:54:39 +00:00
|
|
|
{
|
2017-10-17 22:16:52 +00:00
|
|
|
if (strpos($_GET['solve'], $blacklisted) !== FALSE)
|
|
|
|
{
|
|
|
|
die("No way.");
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
}
|
2017-10-17 22:16:52 +00:00
|
|
|
echo eval('echo ' . $_GET['solve'] . ';');
|
2017-10-17 21:54:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
## Basic Auth
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
|
|
|
|
$_SERVER['REQUEST_METHOD'] == 'POST')
|
2017-10-17 21:54:39 +00:00
|
|
|
{
|
2017-10-17 22:16:52 +00:00
|
|
|
if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
|
|
|
|
base64_encode("root:" . $admin_password))
|
|
|
|
{
|
|
|
|
header('HTTP/1.0 401 Unauthorized');
|
|
|
|
header('WWW-Authenticate: Basic realm="Admin Zone');
|
|
|
|
die();
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
}
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
echo "Access Granted!! You got root!";
|
|
|
|
echo "Flag: Sup3rS3cr3t";
|
2017-10-17 21:54:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
## File storage
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<form method="post" enctype="multipart/form-data">
|
|
|
|
<input type="file" name="file">
|
|
|
|
<input type="submit" value="upload">
|
|
|
|
</form>
|
|
|
|
<pre>
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$flag = 'sup3rs3cr3t';
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$uploaddir = './uploads';
|
|
|
|
$whitelist = ['image/jpeg', 'image/png'];
|
|
|
|
@mkdir("./uploads", 0700);
|
|
|
|
$uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
|
|
|
|
echo "Seulement jpg et png autorisés.";
|
|
|
|
die();
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
|
|
|
|
echo "Le fichier est valide, et a été téléchargé
|
|
|
|
avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
echo 'debug:';
|
|
|
|
|
|
|
|
print_r($_FILES);
|
2017-10-17 21:54:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Assert
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
/* flag: super secret */
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
// Create a handler function
|
|
|
|
function my_assert_handler($file, $line, $code)
|
|
|
|
{
|
|
|
|
echo "<hr>Assertion Failed:
|
|
|
|
File '$file'<br />
|
|
|
|
Line '$line'<br />
|
|
|
|
Code '$code'<br /><hr />";
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
// Set up the callback
|
|
|
|
assert_options(ASSERT_CALLBACK, 'my_assert_handler');
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
ini_set('zend.assertions', '1');
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
assert("strlen('" . $_GET["password"] . "') > 3",
|
|
|
|
"Need a longer password");
|
2017-10-17 21:54:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Transtypage
|
|
|
|
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$auth = json_decode($_GET['auth'], TRUE);
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$username = 'root';
|
|
|
|
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
if (!empty($auth))
|
2017-10-17 21:54:39 +00:00
|
|
|
{
|
2017-10-17 22:16:52 +00:00
|
|
|
if ($auth['login'] == $username &&
|
|
|
|
$auth['password'] == $password)
|
|
|
|
{
|
|
|
|
echo "flag: Super Secret Flag !";
|
|
|
|
die();
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
echo "Bad login / password;";
|
|
|
|
die();
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
}
|
2017-10-17 22:16:52 +00:00
|
|
|
echo "Need a ?auth= query string with JSON like";
|
|
|
|
echo " {'login': your_login, 'password': your_password}";
|
2017-10-17 21:54:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Harder transtypage
|
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
<?php
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$auth = json_decode($_GET['auth'], TRUE);
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
$username = 'root';
|
|
|
|
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
2017-10-17 21:54:39 +00:00
|
|
|
|
2017-10-17 22:16:52 +00:00
|
|
|
if (!empty($auth))
|
2017-10-17 21:54:39 +00:00
|
|
|
{
|
2017-10-17 22:16:52 +00:00
|
|
|
if ($auth['login'] == $username &&
|
|
|
|
!strcmp($auth['password'], $password))
|
|
|
|
{
|
|
|
|
echo "flag: Super Secret Flag !";
|
|
|
|
die();
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
echo "Bad login / password;";
|
|
|
|
die();
|
|
|
|
}
|
2017-10-17 21:54:39 +00:00
|
|
|
}
|
2017-10-17 22:16:52 +00:00
|
|
|
echo "Need a ?auth= query string with JSON like";
|
|
|
|
echo " {'login': your_login, 'password': your_password}";
|