a strange online reservation system for restaurants, please hacking it
This challenge told us little, just said it was to hack a restaurant website.
Upon accessing the link, he showed us the following page:
By logging in we are redirected to another page:
Here we can see what would be the first vulnerability found, an LFI in user.php?page=.
Ok, the guest file did not give us much information, so I went after other files:
Now, from this code, we have already been able to go to other files that were not in our view.
In this function.php file, it is good to point out some things that are being done: we have two types of filters blocking some words, like manage, flag and ffffllllaaaaggg, so we can not access these files by lfi casual.
Doing small tests to see if we get anything, we had a good answer in the info file:
We find a hint that we already know exists.
Well, we’ve got everything we wanted right now, we need to move up the search and find a bypass to access files that were blocked at first.
The filter of the url is being done with the help of the parse_url and parse_str function, but this function has a weakness, when we add more (/) bars in the url, we are able to make the function parsing correct and therefore does not read the entire url:
We found another file that was not in our view, looking for it in lfi and seeing its contents, we see that it is doing the include of a template. So this means that the file is something that can be manipulated by the user.
Entering the page, we have a form to send files.
Checking the code that we had already obtained, I did not see any entries for files, so I opened the source and found the upllloadddd.php file.
By doing a little analysis in the code, we were able to highlight two things for the bypass:
1.It is using the system function with a concatenation without filters, this gives us the possibility of a RCE.
2.It is checking the extension of our file, so we need a way to send an extension.
The easiest way I thought of bypassing was by using a # comment and passing the extension right after:
After a few attempts looking at all these files listed, I thought maybe the flag was in the database, so I went behind the contents of the config.php file.
I used the mysql credentials of the config.php file to log into mysql and dumped the contents of the database.
I found many users and nothing flag, so I thought the obvious, look for the flag in the system.
We find the flag :).
So I came across that we could not use / :P
But it does not matter, we can use cd.
