ExtBasic 10

[int3grate]

I really don't think the code is vulnerable to anything... Maybe they made a typo... I don't really know, but I don't see any possible way that could be exploited. I would really like to know the answer to this one, as I have a few scripts that utilize eval() and I wouldn't want someone to be able to exploit them... I'd just like an explanation of how the eval(\$getit = \$y) is vulnerable to a code injection exploit (which I assume is what they are asking for).

[anthon]

Hello,

I'm also stuck on this mission...
I've made a small php script that incorporates the mission code and I can run system binaries with it.

Code: Select all

<?php
  $getit = "hts" . 'f';
  $y = -removed-
  eval("\$getit = \$y;");
  ## Added echo to see the vuln working
  echo $getit . "\n";
?>


But I can not run the exploit if I build a form and input that "-removed-" line in it (and yes I have "magic quotes=Off" in php.ini)
Hope I didin't posted a spoiler... First post in HTS!!!

Thanks to everyone!

Edit:

Hummm.. It seems some words where removed. Sorry for any inconvenience...

[netman]

Yeah, me 2 i tried the following

<html>
<head>
<title>extended basic 10</title>
</head>
<body>
<?php
$getit = "hts".'f';
$y = $_GET['arg'];
eval("\$getit = \$y;");
echo $getit;
//echo "<br>";
//passthru(dir);
//echo exec(dir);
?>

<form action="<?=$_SERVER['PHP_SELF']?>" method="get">
<input type="text" name="arg" />
<input type="submit" value="OK" />

</form>
</body>
</html>

but couldnt execute the command dir through the eval function...
Do not know how to exploit the eval... Maybe the function is vulnerable only to some previous php versions... maybe...
I tried exec,system and passthrough but nothing... hmmm......

[I-MrKnox-I]

Yay! Got it!

Another lame extended basics with a lot of possible solutions xD

Kind of hard to give a hint on... Wikipedia holds A LOT of answers ... Im not gonna post the exact article which helped me, because it tells you pretty much what to do... But look around - something in there might come in handy!

You guys playing around with functions as passthru, etc. are pretty close... You might want to take a VERY close look at whats special for the functions - which function is the best match for this task? (Small differences are important!)

[int3grate]

I've tried
system()
exec()
passthru()
pcntl_exec()

none of these would work! am i missing something stupid?

[I-MrKnox-I]

Not stupid, but yes, i think you are missing something...

You should be aware of the fact, that it is not the variable $getit that gets displayed. The script is as you see it, and you don't see $getit getting displayed, do you?

What you need is to find a function which gets and displays the result, and then you need to run it rather than assigning it to the $getit variable...

As i said, hard not to spoil this. Feel free to edit if this is too much of a spoiler.

[thanaa]

im really stumped on this one, mainly bc i think there are so many options. According to the page , all im suposed to do is execute /etc/bin/moo . That is pretty easy to do system() would do it. but system wont take. ALso how close does formatting have to be accurate for example i could type
?=10;system(\"/etc/bin/moo\");

and that would execute moo but its not taking, iv'e tried b***t***s, exec, system_exec, passthru still cant get it, is it my formatting?

[I-MrKnox-I]

Yet again i will repeat: USE THE SHORTEST/EASIEST (=as few chars as possible with the best function) SOLUTION!!!!!!!!!!!!!!!

Cut off EVERYTHING unnecessary.

You should know that by now, since these missions are all about code reviews, which, among others, has the purpose of making code as fast executable as possible = as short as possible (largely)...

[ratm_hts]

I don't really understand how can you do anything with an eval that contains a constant string. Is the '\' in "\$y" really intentional? And, if it is, can anyone explain me (privately if you think it would be a spoiler) how does one inject code into a constant eval?

[int3grate]

I've tried B**kt**ks also, but so far, no luck...