mdk/mdk.fr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
deb9a422b2
mdk.fr/content/pages/supinternet_secu_web.md

4.3 KiB
Raw Blame History

status: hidden title: Sup'Internet — Cybersécurité — HTTP slug: e5eoGhcoh3phiD-supinternet-cybersecurite-http robots: noindex

Attaques via HTTP

Chaque exemple suivant vous fournit le contenu d'un fichier PHP.

Copiez simplement PHP dans un index.php dans un dossier vide de votre choix et démarrez y PHP simplement avec le serveur de dev:

$ php -S localhost:8080 -d zend.assertions=1

Chaque code contient un flag, le but est de récupérer ce flag via HTTP. Évidemment vous connaissez le flag à l'avance, vous l'avez vu, vous l'avez copié avec le code, le but reste de réussir à l'obtenir via http://localhost:8000/.

Injection de code

<?php

/* flag: sup3rs3cr3t */

if (isset($_GET['solve']))
    echo eval('echo ' . $_GET['solve'] . ';');
else
    echo 'Missing "solve" in query string';

Injection de code — protection

<?php

/* flag: sup3rs3cr3t */

if (isset($_GET['solve']))
{
    $blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
    foreach ($blacklisteds as $blacklisted)
    {
        if (strpos($_GET['solve'], $blacklisted) !== FALSE)
        {
            die("No way.");
        }
    }
    echo eval('echo ' . $_GET['solve'] . ';');
}

Basic Auth

<?php

$admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();

if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
    $_SERVER['REQUEST_METHOD'] == 'POST')
{
    if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
        base64_encode("root:" . $admin_password))
    {
        header('HTTP/1.0 401 Unauthorized');
        header('WWW-Authenticate: Basic realm="Admin Zone');
        die();
    }
}

echo "Access Granted!! You got root!";
echo "Flag: Sup3rS3cr3t";

File storage

<form method="post" enctype="multipart/form-data">
  <input type="file" name="file">
  <input type="submit" value="upload">
</form>
<pre>

<?php

$flag = 'sup3rs3cr3t';

$uploaddir = './uploads';
$whitelist = ['image/jpeg', 'image/png'];
@mkdir("./uploads", 0700);
$uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);

if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
    echo "Seulement jpg et png autorisés.";
    die();
}

if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
    echo "Le fichier est valide, et a été téléchargé
           avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
}

echo 'debug:';

print_r($_FILES);

Assert

<?php

/* flag: super secret */

// Create a handler function
function my_assert_handler($file, $line, $code)
{
    echo "<hr>Assertion Failed:
        File '$file'<br />
        Line '$line'<br />
        Code '$code'<br /><hr />";
}

// Set up the callback
assert_options(ASSERT_CALLBACK, 'my_assert_handler');

ini_set('zend.assertions', '1');

assert("strlen('" . $_GET["password"] . "') > 3",
       "Need a longer password");

Transtypage

<?php

$auth = json_decode($_GET['auth'], TRUE);

$username = 'root';
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.

if (!empty($auth))
{
    if ($auth['login'] == $username &&
        $auth['password'] == $password)
    {
        echo "flag: Super Secret Flag !";
        die();
    }
    else
    {
        echo "Bad login / password;";
        die();
    }
}
echo "Need a ?auth= query string with JSON like";
echo "   {'login': your_login, 'password': your_password}";

Harder transtypage

<?php

$auth = json_decode($_GET['auth'], TRUE);

$username = 'root';
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.

if (!empty($auth))
{
    if ($auth['login'] == $username &&
        !strcmp($auth['password'], $password))
    {
        echo "flag: Super Secret Flag !";
        die();
    }
    else
    {
        echo "Bad login / password;";
        die();
    }
}
echo "Need a ?auth= query string with JSON like";
echo "   {'login': your_login, 'password': your_password}";