FIX: markdown code fensing.

2017-10-18 00:16:52 +02:00 · 2017-10-18 00:16:52 +02:00 · 01d3b4306e
parent 4a058b1802
commit 01d3b4306e
1 changed files with 104 additions and 116 deletions
--- a/content/pages/supinternet_secu_web.md
+++ b/content/pages/supinternet_secu_web.md
@ -15,7 +15,7 @@ votre choix et démarrez y PHP simplement avec le serveur de dev:
 $ php -S localhost:8080 -d zend.assertions=1
 ```

-Chaque code contient un ``flag``, le but est de récupérer ce flag via
+Chaque code contient un `flag`, le but est de récupérer ce flag via
 HTTP. Évidemment vous connaissez le flag à l'avance, vous l'avez vu,
 vous l'avez copié avec le code, le but reste de réussir à l'obtenir
 via http://localhost:8000/.
@ -23,177 +23,165 @@ via http://localhost:8000/.

 ## Injection de code

-```
-<?php
+    <?php

-/* flag: sup3rs3cr3t */
+    /* flag: sup3rs3cr3t */
+
+    if (isset($_GET['solve']))
+        echo eval('echo ' . $_GET['solve'] . ';');
+    else
+        echo 'Missing "solve" in query string';

-if (isset($_GET['solve']))
-    echo eval('echo ' . $_GET['solve'] . ';');
-else
-    echo 'Missing "solve" in query string';
-```


 ## Injection de code — protection

-```
-<?php
+    <?php

-/* flag: sup3rs3cr3t */
+    /* flag: sup3rs3cr3t */

-if (isset($_GET['solve']))
-{
-    $blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
-    foreach ($blacklisteds as $blacklisted)
+    if (isset($_GET['solve']))
    {
-        if (strpos($_GET['solve'], $blacklisted) !== FALSE)
+        $blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
+        foreach ($blacklisteds as $blacklisted)
        {
-            die("No way.");
+            if (strpos($_GET['solve'], $blacklisted) !== FALSE)
+            {
+                die("No way.");
+            }
        }
+        echo eval('echo ' . $_GET['solve'] . ';');
    }
-    echo eval('echo ' . $_GET['solve'] . ';');
-}
-```


 ## Basic Auth

-```
-<?php
+    <?php

-$admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();
+    $admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();

-if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
-    $_SERVER['REQUEST_METHOD'] == 'POST')
-{
-    if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
-        base64_encode("root:" . $admin_password))
+    if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
+        $_SERVER['REQUEST_METHOD'] == 'POST')
    {
-        header('HTTP/1.0 401 Unauthorized');
-        header('WWW-Authenticate: Basic realm="Admin Zone');
-        die();
+        if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
+            base64_encode("root:" . $admin_password))
+        {
+            header('HTTP/1.0 401 Unauthorized');
+            header('WWW-Authenticate: Basic realm="Admin Zone');
+            die();
+        }
    }
-}

-echo "Access Granted!! You got root!";
-echo "Flag: Sup3rS3cr3t";
-```
+    echo "Access Granted!! You got root!";
+    echo "Flag: Sup3rS3cr3t";


 ## File storage

-```
-<form method="post" enctype="multipart/form-data">
-  <input type="file" name="file">
-  <input type="submit" value="upload">
-</form>
-<pre>
+    <form method="post" enctype="multipart/form-data">
+      <input type="file" name="file">
+      <input type="submit" value="upload">
+    </form>
+    <pre>

-<?php
+    <?php

-$mysql_password = 'sup3rs3cr3t';
+    $flag = 'sup3rs3cr3t';

-$uploaddir = './uploads';
-$whitelist = ['image/jpeg', 'image/png'];
-@mkdir("./uploads", 0700);
-$uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);
+    $uploaddir = './uploads';
+    $whitelist = ['image/jpeg', 'image/png'];
+    @mkdir("./uploads", 0700);
+    $uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);

-if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
-    echo "Seulement jpg et png autorisés.";
-    die();
-}
+    if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
+        echo "Seulement jpg et png autorisés.";
+        die();
+    }

-if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
-    echo "Le fichier est valide, et a été téléchargé
-           avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
-}
+    if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
+        echo "Le fichier est valide, et a été téléchargé
+               avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
+    }

-echo 'debug:';
+    echo 'debug:';
+
+    print_r($_FILES);

-print_r($_FILES);
-```

 ## Assert

-```
-<?php
+    <?php

-/* flag: super secret */
+    /* flag: super secret */

-// Create a handler function
-function my_assert_handler($file, $line, $code)
-{
-    echo "<hr>Assertion Failed:
-        File '$file'<br />
-        Line '$line'<br />
-        Code '$code'<br /><hr />";
-}
+    // Create a handler function
+    function my_assert_handler($file, $line, $code)
+    {
+        echo "<hr>Assertion Failed:
+            File '$file'<br />
+            Line '$line'<br />
+            Code '$code'<br /><hr />";
+    }

-// Set up the callback
-assert_options(ASSERT_CALLBACK, 'my_assert_handler');
+    // Set up the callback
+    assert_options(ASSERT_CALLBACK, 'my_assert_handler');

-ini_set('zend.assertions', '1');
+    ini_set('zend.assertions', '1');

-assert("strlen('" . $_GET["password"] . "') > 3",
-       "Need a longer password");
-```
+    assert("strlen('" . $_GET["password"] . "') > 3",
+           "Need a longer password");


 ## Transtypage


-```
-<?php
+    <?php

-$auth = json_decode($_GET['auth'], TRUE);
+    $auth = json_decode($_GET['auth'], TRUE);

-$username = 'root';
-$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
+    $username = 'root';
+    $password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.

-if (!empty($auth))
-{
-    if ($auth['login'] == $username &&
-        $auth['password'] == $password)
+    if (!empty($auth))
    {
-        echo "flag: Super Secret Flag !";
-        die();
+        if ($auth['login'] == $username &&
+            $auth['password'] == $password)
+        {
+            echo "flag: Super Secret Flag !";
+            die();
+        }
+        else
+        {
+            echo "Bad login / password;";
+            die();
+        }
    }
-    else
-    {
-        echo "Bad login / password;";
-        die();
-    }
-}
-echo "Need a ?auth= query string with JSON like";
-echo "   {'login': your_login, 'password': your_password}";
-```
+    echo "Need a ?auth= query string with JSON like";
+    echo "   {'login': your_login, 'password': your_password}";


 ## Harder transtypage

-```
-<?php
+    <?php

-$auth = json_decode($_GET['auth'], TRUE);
+    $auth = json_decode($_GET['auth'], TRUE);

-$username = 'root';
-$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
+    $username = 'root';
+    $password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.

-if (!empty($auth))
-{
-    if ($auth['login'] == $username &&
-        !strcmp($auth['password'], $password))
+    if (!empty($auth))
    {
-        echo "flag: Super Secret Flag !";
-        die();
+        if ($auth['login'] == $username &&
+            !strcmp($auth['password'], $password))
+        {
+            echo "flag: Super Secret Flag !";
+            die();
+        }
+        else
+        {
+            echo "Bad login / password;";
+            die();
+        }
    }
-    else
-    {
-        echo "Bad login / password;";
-        die();
-    }
-}
-echo "Need a ?auth= query string with JSON like";
-echo "   {'login': your_login, 'password': your_password}";
-```
+    echo "Need a ?auth= query string with JSON like";
+    echo "   {'login': your_login, 'password': your_password}";