DEV Community

Discussion on: Hacker101 CTF - Cody's First Blog

Collapse
 
dtnguyen22 profile image
dtnguyen22

the index.php uses include(), if you try to ?page=index, it will be an infinite loop, which causes the memory exhausted problem.

Collapse
 
amansharma67 profile image
Aman
  1. I can directly visit index.php like x.com/index.php but script I've added with comment won't get executed. Why?

  2. Payload passed in comment is being to page.inc.php page too but when I include it in parameter (x.com? page=home.nic), payload doesn't get executed. Why?

3.How does passing url to index on localhost prevent looping when effectively it's same as including index directly?

Thread Thread
 
caffiendkitten profile image
DaNeil C
  1. I am not sure what script you are trying to add to the comments so I can’t say for sure why it’s not working.

    • I can say that PHP is a server side language so it gets run on the server and we see the results, not the PHP code. That’s why “include()” is in plain text in the source code on the main page when you look at it in your browser or in a proxy like Zap or Burp.
  2. The payload doesn’t get executed in the URL because this CTF flag is about using the server to run the PHP in the submitted comments and echo back the results (source code for the page we want that has a flag) and use of the include() to render the page because of the file inclusion bug that uses the URL parameters.

    • So when you first try to go to the page “?page=index.php” there are warnings presented as Warning: include(index.php.php) and Fatal error: Allowed memory size of 134217728 bytes exhausted . This means that then a URL is submitted and that there is some other script on the server that is filtering the URL and adding a .php to it. Thus using any version of ?page=something_here in the URL won’t work because the include() in the “index.php” page is, as dtnguyen22 said, either creating an infinite loop trying to include the index file that is trying to include itself or the page just doesn’t exist.
  3. Passing a url to index on localhost doesn’t prevent looping but is important for the PHP File Inclusion Bug.

    • Though the URL won’t work as an initial attack point, when you submit a comment of something like <?php echo readfile("index.php")?> and approve it on the ?page=admin.inc page, the main home/index page now has that as part of its source code. And you can now take advantage of the File Inclusion Bug and go to ?page=http://localhost/index and this is where you can view the source code and view the php of the index page that has the flag.

This works because of the file path that the server is trying to access. Similar to accessing a local file on your local browser or in the file directory the server wants to include the page it is told to but when it makes a request to http://localhost/index the server processes this as its own index page (because of the bug), adds the .php, and renders the requested page’s source in the page source code though the PHP echo readfile() command.