[CSAW 2016] I Got Id – Web200

Chall:

Wtf... I literally just setup this website and it's already popped...

http://web.chal.csaw.io:8002/

This challenge is quite interesting, it focuses on perl 5 vulnerable which is presented at blackhat asia 2016.
Take a first look, the site is so simple:

I decided to check file.pl

This page allows user upload everything, then print back its content:

based on what it does, i guess the code may look like this:

use strict;
use warnings;
use CGI;

my $cgi= CGI->new;
if ( $cgi->upload( 'file' ) )
{
my $file= $cgi->param( 'file' );
while ( <$file> ) { print "$_"; } }

So what the problem?

Look at this line

my $file= $cgi->param( 'file' )

param() returns a LIST of ALL the parameter values but only the first value is inserted into $file

Next

while ( <$file>)

<>” doesn’t work with strings unless the string is “ARGV”, so it loops through the ARG values and inserting each one to an open() call
=> We can read content of any file by assign the scalar value first, so $file will be assigned our scalar value instead of the uploaded file descriptor

Let test:

Now we have two ways to get flag

The Simple and Lucky way: Guessing

Since we can read content of any file we want, so let guess the path of flag.
The answer is /flag. Not too hard to guess, isn’t it?

So get the flag and finish this challenge:

The “Hacker” Way: Remote Code Execution

Let me talk about Perl’s open() function. This function can also execute commands, because it is used to open pipes. In this case, you can use | as a delimiter, because Perl looks for | to indicate that open() is opening a pipe. An attacker can hijack an open() call which otherwise would not even execute a command by adding a | to his query.

So what can we do with it? So much!

wew….more…

flag is coming

FLAG{p3rl_6_iz_EVEN_BETTER!!1}

Advertisements

2 thoughts on “[CSAW 2016] I Got Id – Web200

  1. Nay em đi đọc dạo thì thấy blog này của anh :)) em có thắc mắc là thêm ${IFS} nhằm mục đích gì vậy ạ, em có google thì nó dùng để thay space character ? E chưa rõ đoạn này lắm!
    Thanks for writing great blog ^_^

    Like

    • Hi em, IFS là viết tắt của “internal field separator”, shell xài nó để xác định quy tắc phân cách từ.
      Ví dụ:
      Default:

      root@ubuntu:/home/tsu/git# set a b c d;echo "$*"
      a b c d
      

      Set IFS:

      root@ubuntu:/home/tsu/git# set a b c d;IFS="~";echo "$*"
      a~b~c~d
      

      theo như thấy được thì IFS đã quy định phân a b c d dựa vào giá trị của nó, và IFS có giá trị mặc định là “white space” (space, tab and newline).

      Thử print giá trị của nó ra xem nhé (nhớ là mặc định, và chưa bị set lại):

      root@ubuntu:/home/tsu/git# echo "a";echo "$IFS";echo "b"
      a
      
      
      b
      

      Như vậy có thể lợi dụng nó để bypass space, vì bản thân nó mang giá trị space, và chúng ta gọi nó ra bằng ${IFS}
      Ví dụ:

      echo${IFS}1
      

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s