FIX: markdown code fensing.
This commit is contained in:
parent
4a058b1802
commit
01d3b4306e
|
@ -15,7 +15,7 @@ votre choix et démarrez y PHP simplement avec le serveur de dev:
|
|||
$ php -S localhost:8080 -d zend.assertions=1
|
||||
```
|
||||
|
||||
Chaque code contient un ``flag``, le but est de récupérer ce flag via
|
||||
Chaque code contient un `flag`, le but est de récupérer ce flag via
|
||||
HTTP. Évidemment vous connaissez le flag à l'avance, vous l'avez vu,
|
||||
vous l'avez copié avec le code, le but reste de réussir à l'obtenir
|
||||
via http://localhost:8000/.
|
||||
|
@ -23,177 +23,165 @@ via http://localhost:8000/.
|
|||
|
||||
## Injection de code
|
||||
|
||||
```
|
||||
<?php
|
||||
<?php
|
||||
|
||||
/* flag: sup3rs3cr3t */
|
||||
/* flag: sup3rs3cr3t */
|
||||
|
||||
if (isset($_GET['solve']))
|
||||
echo eval('echo ' . $_GET['solve'] . ';');
|
||||
else
|
||||
echo 'Missing "solve" in query string';
|
||||
|
||||
if (isset($_GET['solve']))
|
||||
echo eval('echo ' . $_GET['solve'] . ';');
|
||||
else
|
||||
echo 'Missing "solve" in query string';
|
||||
```
|
||||
|
||||
|
||||
## Injection de code — protection
|
||||
|
||||
```
|
||||
<?php
|
||||
<?php
|
||||
|
||||
/* flag: sup3rs3cr3t */
|
||||
/* flag: sup3rs3cr3t */
|
||||
|
||||
if (isset($_GET['solve']))
|
||||
{
|
||||
$blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
|
||||
foreach ($blacklisteds as $blacklisted)
|
||||
if (isset($_GET['solve']))
|
||||
{
|
||||
if (strpos($_GET['solve'], $blacklisted) !== FALSE)
|
||||
$blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
|
||||
foreach ($blacklisteds as $blacklisted)
|
||||
{
|
||||
die("No way.");
|
||||
if (strpos($_GET['solve'], $blacklisted) !== FALSE)
|
||||
{
|
||||
die("No way.");
|
||||
}
|
||||
}
|
||||
echo eval('echo ' . $_GET['solve'] . ';');
|
||||
}
|
||||
echo eval('echo ' . $_GET['solve'] . ';');
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## Basic Auth
|
||||
|
||||
```
|
||||
<?php
|
||||
<?php
|
||||
|
||||
$admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();
|
||||
$admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
|
||||
$_SERVER['REQUEST_METHOD'] == 'POST')
|
||||
{
|
||||
if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
|
||||
base64_encode("root:" . $admin_password))
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
|
||||
$_SERVER['REQUEST_METHOD'] == 'POST')
|
||||
{
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
header('WWW-Authenticate: Basic realm="Admin Zone');
|
||||
die();
|
||||
if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
|
||||
base64_encode("root:" . $admin_password))
|
||||
{
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
header('WWW-Authenticate: Basic realm="Admin Zone');
|
||||
die();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
echo "Access Granted!! You got root!";
|
||||
echo "Flag: Sup3rS3cr3t";
|
||||
```
|
||||
echo "Access Granted!! You got root!";
|
||||
echo "Flag: Sup3rS3cr3t";
|
||||
|
||||
|
||||
## File storage
|
||||
|
||||
```
|
||||
<form method="post" enctype="multipart/form-data">
|
||||
<input type="file" name="file">
|
||||
<input type="submit" value="upload">
|
||||
</form>
|
||||
<pre>
|
||||
<form method="post" enctype="multipart/form-data">
|
||||
<input type="file" name="file">
|
||||
<input type="submit" value="upload">
|
||||
</form>
|
||||
<pre>
|
||||
|
||||
<?php
|
||||
<?php
|
||||
|
||||
$mysql_password = 'sup3rs3cr3t';
|
||||
$flag = 'sup3rs3cr3t';
|
||||
|
||||
$uploaddir = './uploads';
|
||||
$whitelist = ['image/jpeg', 'image/png'];
|
||||
@mkdir("./uploads", 0700);
|
||||
$uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);
|
||||
$uploaddir = './uploads';
|
||||
$whitelist = ['image/jpeg', 'image/png'];
|
||||
@mkdir("./uploads", 0700);
|
||||
$uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);
|
||||
|
||||
if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
|
||||
echo "Seulement jpg et png autorisés.";
|
||||
die();
|
||||
}
|
||||
if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
|
||||
echo "Seulement jpg et png autorisés.";
|
||||
die();
|
||||
}
|
||||
|
||||
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
|
||||
echo "Le fichier est valide, et a été téléchargé
|
||||
avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
|
||||
}
|
||||
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
|
||||
echo "Le fichier est valide, et a été téléchargé
|
||||
avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
|
||||
}
|
||||
|
||||
echo 'debug:';
|
||||
echo 'debug:';
|
||||
|
||||
print_r($_FILES);
|
||||
|
||||
print_r($_FILES);
|
||||
```
|
||||
|
||||
## Assert
|
||||
|
||||
```
|
||||
<?php
|
||||
<?php
|
||||
|
||||
/* flag: super secret */
|
||||
/* flag: super secret */
|
||||
|
||||
// Create a handler function
|
||||
function my_assert_handler($file, $line, $code)
|
||||
{
|
||||
echo "<hr>Assertion Failed:
|
||||
File '$file'<br />
|
||||
Line '$line'<br />
|
||||
Code '$code'<br /><hr />";
|
||||
}
|
||||
// Create a handler function
|
||||
function my_assert_handler($file, $line, $code)
|
||||
{
|
||||
echo "<hr>Assertion Failed:
|
||||
File '$file'<br />
|
||||
Line '$line'<br />
|
||||
Code '$code'<br /><hr />";
|
||||
}
|
||||
|
||||
// Set up the callback
|
||||
assert_options(ASSERT_CALLBACK, 'my_assert_handler');
|
||||
// Set up the callback
|
||||
assert_options(ASSERT_CALLBACK, 'my_assert_handler');
|
||||
|
||||
ini_set('zend.assertions', '1');
|
||||
ini_set('zend.assertions', '1');
|
||||
|
||||
assert("strlen('" . $_GET["password"] . "') > 3",
|
||||
"Need a longer password");
|
||||
```
|
||||
assert("strlen('" . $_GET["password"] . "') > 3",
|
||||
"Need a longer password");
|
||||
|
||||
|
||||
## Transtypage
|
||||
|
||||
|
||||
```
|
||||
<?php
|
||||
<?php
|
||||
|
||||
$auth = json_decode($_GET['auth'], TRUE);
|
||||
$auth = json_decode($_GET['auth'], TRUE);
|
||||
|
||||
$username = 'root';
|
||||
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
||||
$username = 'root';
|
||||
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
||||
|
||||
if (!empty($auth))
|
||||
{
|
||||
if ($auth['login'] == $username &&
|
||||
$auth['password'] == $password)
|
||||
if (!empty($auth))
|
||||
{
|
||||
echo "flag: Super Secret Flag !";
|
||||
die();
|
||||
if ($auth['login'] == $username &&
|
||||
$auth['password'] == $password)
|
||||
{
|
||||
echo "flag: Super Secret Flag !";
|
||||
die();
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Bad login / password;";
|
||||
die();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Bad login / password;";
|
||||
die();
|
||||
}
|
||||
}
|
||||
echo "Need a ?auth= query string with JSON like";
|
||||
echo " {'login': your_login, 'password': your_password}";
|
||||
```
|
||||
echo "Need a ?auth= query string with JSON like";
|
||||
echo " {'login': your_login, 'password': your_password}";
|
||||
|
||||
|
||||
## Harder transtypage
|
||||
|
||||
```
|
||||
<?php
|
||||
<?php
|
||||
|
||||
$auth = json_decode($_GET['auth'], TRUE);
|
||||
$auth = json_decode($_GET['auth'], TRUE);
|
||||
|
||||
$username = 'root';
|
||||
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
||||
$username = 'root';
|
||||
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
||||
|
||||
if (!empty($auth))
|
||||
{
|
||||
if ($auth['login'] == $username &&
|
||||
!strcmp($auth['password'], $password))
|
||||
if (!empty($auth))
|
||||
{
|
||||
echo "flag: Super Secret Flag !";
|
||||
die();
|
||||
if ($auth['login'] == $username &&
|
||||
!strcmp($auth['password'], $password))
|
||||
{
|
||||
echo "flag: Super Secret Flag !";
|
||||
die();
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Bad login / password;";
|
||||
die();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Bad login / password;";
|
||||
die();
|
||||
}
|
||||
}
|
||||
echo "Need a ?auth= query string with JSON like";
|
||||
echo " {'login': your_login, 'password': your_password}";
|
||||
```
|
||||
echo "Need a ?auth= query string with JSON like";
|
||||
echo " {'login': your_login, 'password': your_password}";
|
||||
|
|
Loading…
Reference in New Issue