ExtBasic 10

Learn how to do code review

Re: ExtBasic 10

Post by int3grate on Mon Jul 07, 2008 11:46 pm
([msg=6802]see Re: ExtBasic 10[/msg])

I really don't think the code is vulnerable to anything... Maybe they made a typo... I don't really know, but I don't see any possible way that could be exploited. I would really like to know the answer to this one, as I have a few scripts that utilize eval() and I wouldn't want someone to be able to exploit them... I'd just like an explanation of how the eval(\$getit = \$y) is vulnerable to a code injection exploit (which I assume is what they are asking for).
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by anthon on Tue Jul 08, 2008 5:05 am
([msg=6810]see Re: ExtBasic 10[/msg])

Hello,

I'm also stuck on this mission...
I've made a small php script that incorporates the mission code and I can run system binaries with it.

Code: Select all
<?php
  $getit = "hts" . 'f';
  $y = -removed-
  eval("\$getit = \$y;");
  ## Added echo to see the vuln working
  echo $getit . "\n";
?>


But I can not run the exploit if I build a form and input that "-removed-" line in it (and yes I have "magic quotes=Off" in php.ini) :P
Hope I didin't posted a spoiler... First post in HTS!!! :D

Thanks to everyone!

Edit:

Hummm.. It seems some words where removed. Sorry for any inconvenience... :(
Last edited by anthon on Tue Jul 08, 2008 3:12 pm, edited 1 time in total.
anthon
New User
New User
 
Posts: 1
Joined: Sat Apr 26, 2008 5:50 am
Blog: View Blog (0)


Re: ExtBasic 10

Post by netman on Tue Jul 08, 2008 8:26 am
([msg=6826]see Re: ExtBasic 10[/msg])

Yeah, me 2 i tried the following

<html>
<head>
<title>extended basic 10</title>
</head>
<body>
<?php
$getit = "hts".'f';
$y = $_GET['arg'];
eval("\$getit = \$y;");
echo $getit;
//echo "<br>";
//passthru(dir);
//echo exec(dir);
?>

<form action="<?=$_SERVER['PHP_SELF']?>" method="get">
<input type="text" name="arg" />
<input type="submit" value="OK" />

</form>
</body>
</html>

but couldnt execute the command dir through the eval function...
Do not know how to exploit the eval... Maybe the function is vulnerable only to some previous php versions... maybe...
I tried exec,system and passthrough but nothing... hmmm......
netman
New User
New User
 
Posts: 2
Joined: Tue Jul 01, 2008 2:56 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by I-MrKnox-I on Tue Jul 08, 2008 9:41 pm
([msg=6921]see Re: ExtBasic 10[/msg])

Yay! Got it!

Another lame extended basics with a lot of possible solutions xD

Kind of hard to give a hint on... Wikipedia holds A LOT of answers ;) ... Im not gonna post the exact article which helped me, because it tells you pretty much what to do... But look around - something in there might come in handy!

You guys playing around with functions as passthru, etc. are pretty close... You might want to take a VERY close look at whats special for the functions - which function is the best match for this task? (Small differences are important!)
I-MrKnox-I
New User
New User
 
Posts: 20
Joined: Fri Apr 18, 2008 2:45 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by int3grate on Wed Jul 09, 2008 12:04 am
([msg=6924]see Re: ExtBasic 10[/msg])

I've tried
system()
exec()
passthru()
pcntl_exec()

none of these would work! am i missing something stupid?
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by I-MrKnox-I on Wed Jul 09, 2008 6:31 am
([msg=6946]see Re: ExtBasic 10[/msg])

Not stupid, but yes, i think you are missing something...

You should be aware of the fact, that it is not the variable $getit that gets displayed. The script is as you see it, and you don't see $getit getting displayed, do you?

What you need is to find a function which gets and displays the result, and then you need to run it rather than assigning it to the $getit variable...

As i said, hard not to spoil this. Feel free to edit if this is too much of a spoiler.
I-MrKnox-I
New User
New User
 
Posts: 20
Joined: Fri Apr 18, 2008 2:45 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by thanaa on Thu Jul 10, 2008 8:26 am
([msg=7061]see Re: ExtBasic 10[/msg])

im really stumped on this one, mainly bc i think there are so many options. According to the page , all im suposed to do is execute /etc/bin/moo . That is pretty easy to do system() would do it. but system wont take. ALso how close does formatting have to be accurate for example i could type
?=10;system(\"/etc/bin/moo\");

and that would execute moo but its not taking, iv'e tried b***t***s, exec, system_exec, passthru still cant get it, is it my formatting?
thanaa
New User
New User
 
Posts: 16
Joined: Sat Jun 28, 2008 9:46 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by I-MrKnox-I on Thu Jul 10, 2008 2:43 pm
([msg=7102]see Re: ExtBasic 10[/msg])

Yet again i will repeat: USE THE SHORTEST/EASIEST (=as few chars as possible with the best function) SOLUTION!!!!!!!!!!!!!!!

Cut off EVERYTHING unnecessary.

You should know that by now, since these missions are all about code reviews, which, among others, has the purpose of making code as fast executable as possible = as short as possible (largely)...
I-MrKnox-I
New User
New User
 
Posts: 20
Joined: Fri Apr 18, 2008 2:45 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by ratm_hts on Thu Jul 10, 2008 3:47 pm
([msg=7108]see Re: ExtBasic 10[/msg])

I don't really understand how can you do anything with an eval that contains a constant string. Is the '\' in "\$y" really intentional? And, if it is, can anyone explain me (privately if you think it would be a spoiler) how does one inject code into a constant eval?
ratm_hts
New User
New User
 
Posts: 4
Joined: Sat Jun 28, 2008 7:56 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by int3grate on Thu Jul 10, 2008 3:55 pm
([msg=7109]see Re: ExtBasic 10[/msg])

I've tried B**kt**ks also, but so far, no luck...
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


PreviousNext

Return to Extended Basics

Who is online

Users browsing this forum: No registered users and 0 guests