[OverTheWire] Natas – Level 23
http://natas23.natas.labs.overthewire.org/ Congratulations! You have reached the end… for now. Rồi, ai về nhà nấy, hẹn gặp lại
CTF chưa bao giờ khiến tôi mệt mỏi...
http://natas23.natas.labs.overthewire.org/ Congratulations! You have reached the end… for now. Rồi, ai về nhà nấy, hẹn gặp lại
http://natas22.natas.labs.overthewire.org/ only admins can reveal the password… Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<? session_start(); if(array_key_exists("revelio", $_GET)) { // only admins can reveal the password if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) { header("Location: /"); } } ?> <? if(array_key_exists("revelio", $_GET)) { print "You are an admin. The credentials for the next level are:<br />"; print "<pre>Username: natas23n"; print "Password: <censored></pre>"; } ?> |
Do không hiểu cơ chế của cái hàm header() nên mình rơi vào bế tắc, rất cảm ơn Nam Tóc Xù đã hint mình bài này Thực chất...
http://natas21.natas.labs.overthewire.org/ Note: this website is colocated with http://natas21-experimenter.natas.labs.overthewire.org You are logged in as a regular user. Login as an admin to retrieve credentials for natas22. Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<? function print_credentials() { /* {{{ */ if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) { print "You are an admin. The credentials for the next level are:<br />"; print "<pre>Username: natas22n"; print "Password: <censored></pre>"; } else { print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22."; } } /* }}} */ session_start(); print_credentials(); ?> |
Thua, đố làm được Chuyển...
http://natas20.natas.labs.overthewire.org/ You are logged in as a regular user. Login as an admin to retrieve credentials for natas21. Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
<? function debug($msg) { /* {{{ */ if(array_key_exists("debug", $_GET)) { print "DEBUG: $msg<br />"; } } /* }}} */ function print_credentials() { /* {{{ */ if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) { print "You are an admin. The credentials for the next level are:<br />"; print "<pre>Username: natas21n"; print "Password: <censored></pre>"; } else { print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21."; } } /* }}} */ /* we don't need this */ function myopen($path, $name) { //debug("MYOPEN $path $name"); return true; } /* we don't need this */ function myclose() { //debug("MYCLOSE"); return true; } function myread($sid) { debug("MYREAD $sid"); if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) { debug("Invalid SID"); return ""; } $filename = session_save_path() . "/" . "mysess_" . $sid; if(!file_exists($filename)) { debug("Session file doesn't exist"); return ""; } debug("Reading from ". $filename); $data = file_get_contents($filename); $_SESSION = array(); foreach(explode("n", $data) as $line) { debug("Read [$line]"); $parts = explode(" ", $line, 2); if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1]; } return session_encode(); } function mywrite($sid, $data) { // $data contains the serialized version of $_SESSION // but our encoding is better debug("MYWRITE $sid $data"); // make sure the sid is alnum only!! if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) { debug("Invalid SID"); return; } $filename = session_save_path() . "/" . "mysess_" . $sid; $data = ""; debug("Saving in ". $filename); ksort($_SESSION); foreach($_SESSION as $key => $value) { debug("$key => $value"); $data .= "$key $valuen"; } file_put_contents($filename, $data); chmod($filename, 0600); } /* we don't need this */ function mydestroy($sid) { //debug("MYDESTROY $sid"); return true; } /* we don't need this */ function mygarbage($t) { //debug("MYGARBAGE $t"); return true; } session_set_save_handler( "myopen", "myclose", "myread", "mywrite", "mydestroy", "mygarbage"); session_start(); if(array_key_exists("name", $_REQUEST)) { $_SESSION["name"] = $_REQUEST["name"]; debug("Name set to " . $_REQUEST["name"]); } print_credentials(); $name = ""; if(array_key_exists("name", $_SESSION)) { $name = $_SESSION["name"]; } ?> |
Chúng ta sẽ đi lần lượt theo quy trình xử lý của...
http://natas19.natas.labs.overthewire.org/ This page uses mostly the same code as the previous level, but session IDs are no longer sequential… Please login with your admin account to retrieve credentials for natas20. Không có View sourcecode,...
http://natas18.natas.labs.overthewire.org/ Please login with your admin account to retrieve credentials for natas19. Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
<? $maxid = 640; // 640 should be enough for everyone function isValidAdminLogin() { /* {{{ */ if($_REQUEST["username"] == "admin") { /* This method of authentication appears to be unsafe and has been disabled for now. */ //return 1; } return 0; } /* }}} */ function isValidID($id) { /* {{{ */ return is_numeric($id); } /* }}} */ function createID($user) { /* {{{ */ global $maxid; return rand(1, $maxid); } /* }}} */ function debug($msg) { /* {{{ */ if(array_key_exists("debug", $_GET)) { print "DEBUG: $msg<br />"; } } /* }}} */ function my_session_start() { /* {{{ */ if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) { if(!session_start()) { debug("Session start failed"); return false; } else { debug("Session start ok"); if(!array_key_exists("admin", $_SESSION)) { debug("Session was old: admin flag set"); $_SESSION["admin"] = 0; // backwards compatible, secure } return true; } } return false; } /* }}} */ function print_credentials() { /* {{{ */ if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) { print "You are an admin. The credentials for the next level are:<br />"; print "<pre>Username: natas19n"; print "Password: <censored></pre>"; } else { print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19."; } } /* }}} */ $showform = true; if(my_session_start()) { print_credentials(); $showform = false; } else { if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) { session_id(createID($_REQUEST["username"])); session_start(); $_SESSION["admin"] = isValidAdminLogin(); debug("New session started"); $showform = false; print_credentials(); } } if($showform) { ?> |
Bài này sử dụng một custom-session-manager, với giá trị của PHPSESSID nằm ngẫu nhiên trong khoảng từ (1,...
http://natas17.natas.labs.overthewire.org/ Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
<? /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */ if(array_key_exists("username", $_REQUEST)) { $link = mysql_connect('localhost', 'natas17', '<censored>'); mysql_select_db('natas17', $link); $query = "SELECT * from users where username="".$_REQUEST["username"]."""; if(array_key_exists("debug", $_GET)) { echo "Executing query: $query<br />"; } $res = mysql_query($query, $link); if($res) { if(mysql_num_rows($res) > 0) { //echo "This user exists.<br />"; } else { //echo "This user doesn't exist.<br />"; } } else { //echo "Error in query.<br />"; } mysql_close($link); } else { ?> <form action="index.php" method="POST"> Username: <input name="username"><br /> <input type="submit" value="Check existence" /> </form> <? } ?> |
Tất cả các thông báo đều đã bị xoẹt xoẹt, làm sao đây Dựa vào cái gì để phân biệt giữa True và False bây giờ … …… ………...
http://natas16.natas.labs.overthewire.org/ For security reasons, we now filter even more on certain characters Find words containing… Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { if(preg_match('/[;|&`'"]/',$key)) { print "Input contains an illegal character!"; } else { passthru("grep -i "$key" dictionary.txt"); } } ?> |
Thấy quen quen Vì rằng input đã bị escape một số ký tự chủ chốt,...
http://natas15.natas.labs.overthewire.org/ Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
<? /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */ if(array_key_exists("username", $_REQUEST)) { $link = mysql_connect('localhost', 'natas15', '<censored>'); mysql_select_db('natas15', $link); $query = "SELECT * from users where username="".$_REQUEST["username"]."""; if(array_key_exists("debug", $_GET)) { echo "Executing query: $query<br />"; } $res = mysql_query($query, $link); if($res) { if(mysql_num_rows($res) > 0) { echo "This user exists.<br />"; } else { echo "This user doesn't exist.<br />"; } } else { echo "Error in query.<br />"; } mysql_close($link); } else { ?> |
Có một điều khác biệt so với task trước, đó là không hề có câu lệnh in ra password cho level tiếp theo. Vậy phải làm sao? Blind SQL...
http://natas14.natas.labs.overthewire.org/ Nhấn View sourcecode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<? if(array_key_exists("username", $_REQUEST)) { $link = mysql_connect('localhost', 'natas14', '<censored>'); mysql_select_db('natas14', $link); $query = "SELECT * from users where username="".$_REQUEST["username"]."" and password="".$_REQUEST["password"]."""; if(array_key_exists("debug", $_GET)) { echo "Executing query: $query<br />"; } if(mysql_num_rows(mysql_query($query, $link)) > 0) { echo "Successful login! The password for natas15 is <censored><br />"; } else { echo "Access denied!<br />"; } mysql_close($link); } else { ?> |
Ta thấy ngay được là username và password đều không bị escape. Inject với câu lệnh được dạy trong sách giáo khoa: username = ” OR 1=1# password =...
Recent comments