This one is one of the most involved levels so far, as there are multiple pieces to the puzzle. Let’s jump right in: First we can see they are making an awful lot of effort to prevent us from including arbitrary files via the $filename variable. This is a big
To win this level it would appear that we need to get $_REQUEST[“passwd”] to match the value of “censored”. Maybe there is another way though. Let’s see what the comments on php.net have to say about the strcmp() function. As it turns out !strcmp(“foo”, array()) returns “1” AKA “true”, For
So we need to get $_REQUEST[“passwd”] to be greater than 10, AND strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate to true. Let’s examine the behavior of the PHP “>” operator: According to php.net “If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a
If you though the last level was easy, this one is even easier. Alls we have to do is set revelio=1 for the win:
This one was really easy: Alls we have to do is set admin=1 for the win. Let’s try: Well that didn’t work. What’s up with this experimenter thing anyway? I wonder what would happen if we used the PHPSESSID from that and made the same request? Oh…that’s what happens.
There is a lot of code in this one so lets focus in on the some of the more important parts: Line 23 tells us we need to set $_SESSION[“admin”] == 1. for the win. We don’t have direct control over the $_SESSION array, but the following code offers an
This is a really fabulous hint. We know we’ll have to brute force the session ID again, and we also know the pattern is not sequential like the previous level, so lets start checking out some sample session IDs: Hmmm, all the session IDs consist of letters a-f and digits
No matter what you log in as it says “You are logged in as a regular user. Login as an admin to retrieve credentials for natas19”. We need to get the session where $_SESSION[‘admin’] == 1, but how do we know which PHPSESSID is associated with this? Well earlier in
Our username check is back, and this time it’s not telling us anything: It looks like they forgot to uncomment all the messages before they published this file. That’s ok, we can take the same strategy as the other blind sql level, and use an if statement combined with the
Looks like our old friend is back, and this time they are filtering MORE STUFF OMG!!! TOO BAD IT’S STILL NOT ENOUGH FTW!!! You can see they are filtering the following characters: ; | & ` \ ‘ ” On top of that they put our input inside of double