What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


WeChall - PHP 0817


I have written another include system for my dynamic webpages, but it seems to be vulnerable to LFI.
Here is the code:

GeSHi`ed PHP code
  1. <?php
  2. if (isset($_GET['which']))
  3. {
  4.         $which = $_GET['which'];
  5.         switch ($which)
  6.         {
  7.         case 0:
  8.         case 1:
  9.         case 2:
  10.                 require_once $which.'.php';
  11.                 break;
  12.         default:
  13.                 echo GWF_HTML::error('PHP-0817', 'Hacker NoNoNo!', false);
  14.                 break;
  15.         }
  16. }
  17. ?>

Your mission is to include solution.php.
Here is the script in action: News, Forum, Guestbook.

Good Luck!

  1. The link of each page is like below:
    News: index.php?which=0
    Forum: index.php?which=1
    Guestbook: index.php?which=2
  2. You should know in PHP if the statement list for a case is empty, which will simply passes control into the statement list for the next case.
  3. And since the switch statement uses loose type comparison, anything not a digit will make the code vulnerable.
    Vuln: index.php?which=solution
  4. Well done, too easy... Do you know why this is possible?