Level 19 - Level 20
Last updated
Last updated
This time we got an input field requesting for a name and a link to the source code. And its mentioned that, we have to login as admin to get the credentials for the next level.
Let's take a look at the source code and break it down.
The debug function prints messages that is passed to it, if there is parameter named debug in the URL, i.e., http://natas20.natas.labs.overthewire.org/?debug.
Next, let's take a look at the print_credentials function.
The print_credentials function checks whether the key named admin exists in the array $_SESSION and if it exists, it also checks whether the value of the key admin is eqaul to 1.
If both of the above mentioned checks are passed, then it prints the credentials for the next level in the predefined format.
There are a few functions, which we can skip, since all of those functions just returns true.
Before taking look at the myread function, let's take a look at the mywrite function.
The mywrite function, takes in two parameters, $id ( session id ) and $data ( name ). It first checks whether the given session id is valid and next it generates the $filename. It stores the data in the form of "$key $value\n" in a file in the path $filename.
Next lets take a look at the myread function, which takes in the $sid as the parameter and checks whether the its a valid id and then generates a filename of format /mysess_<$sid>.
Then it reads the the contents of the filename that is generated above and stores it in a variable $data. Then it loops through each line of the variable $data and sets them as session variables. This foreach loop is vulenrable, since there is no proper input sanitization in the mywrite function, which writes the data to the file.
Let's break down the vulnerable foreach loop.
It uses the php explode function, which splits the given data based on the mentioned parameter, in this the parameter is "\n". Then again it uses the same explode function for each iteration , which splits the data in the $line variable based on the parameter " ", which is then added to $_SESSION as session variables.
For example, lets consider that the data in the file is "name someone\nadmin 1" and later retrieved and stored in the variable $data = "name someone\nadmin 1". If the vulnerable foreach loop process this data, the variables that would be added to the session is:
Now we have explored all the functions in the source code. Now let's try to leverage the vulnerability we found. When we try to change the name, for the first time after the new session is created, we can see that it first checks for the session file and if it doesn't exists it writes the name that we give as input to the file using the mywrite function as "name <input>\n"
Since there is no input validation, we can give the input as 'someone\nadmin 1', which will be read by the myread function as:
And since the data got the admin: 1 value, for the next GET request to page with the same session id, the print_credentials function consider us as admin and will show the credentials.
To get the credentials, you can use the following python script which will extract the credentials for the next level from subsequent requests using the same session.
From running the above script, we got the credentials for the next level.
