PHP - Register Globals
This challenge is a relict of old PHP times, where register globals has been enabled by default, which often lead to security issues.
Again, your job is to login as admin, and you are given the sourcecode as well as highlighted version.
Here is the link to the vulnerable script.
I have also setup a test account: test:test
Enjoy!
Solution:
- View the source code and find the part of code below.
...
if (isset($login)) { echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', array(htmlspecialchars($login[0]), htmlspecialchars($login[1])))); if (strtolower($login[0]) === 'admin') { $chall->onChallengeSolved(GWF_Session::getUserID()); } }
... - Since there is not any checking method to check the variable $login, we could use the URL like below to bypass it and gain the userlevel of admin.
hxxps://www.wechall.net/challenge/training/php/globals/globals.php?username=test&password=test&login[0]=admin
- It's done!!
Register Globals
Welcome back, admin.
Your userlevel is .
No comments:
Post a Comment