Bright Shadows - Exploit 2: "Analyse this I!"

Description:

Hi!

This challenge is about getting around filters, which might make it harder for you to exploit a script.

What url would you use as parameter if there would be a script "exploitit.php" in the "/user/www/challenges/" folder of our Linux webserver and you want to open "/user/www/index.php".

In case "exploitit.php" looks like this:

... $url = str_replace("../","",$_GET['url']); $hfile = fopen("/user/www/challenges/$url", "r"); if(!$hfile){ echo "Can't open file!"; exit; } while (!feof($hfile)){ $line = fgets ($hfile, 1024); echo $line; } ...

Or in case"exploitit.php" looks like this:

... if((strpos($_GET['url'],"../") === false) AND (strpos($_GET['url'],"://") === false))){ $hfile = fopen("$url", "r"); if(!$hfile){ echo "Can't open file!"; exit; } while (!feof($hfile)){ $line = fgets ($hfile, 1024); echo $line; } }else{ echo "Your url got blocked by the filter!"; } ...
          ______________________________
Answer 1:|______________________________|
Answer 2:|______________________________|Send

Solution:

1. This challenge is about Local File Inclusion. In the beginning I encoded the path of '../index.php' into '..%2Findex.php', but the result always told me 'Both answers are wrong!'
2. Alright, since the first one script only replaces the '../' with nothing, we could input the URL like below and make it into '../index.php'.

   Answer: ..././index.php

3. The second one will be more easier. Although it double checked the '../' for Local File Inclusion and the '://' for Remote File Inclusion, it opens the file directly without appending any directories. So, we could simply input the URL directly like below to achieve our goal.

   Answer: /user/www/index.php

4. Well done!