Link: Challenge Web01-WhiteHat Chellenge 04 (2017)
Solve:
-First: I've found links: http://chall04-web01.wargame.whitehat.vn/?p=dogs and http://chall04-web01.wargame.whitehat.vn/?p=cats.
I think the vulnerability website is LFI.
-I see ?p=dogs and ?p=cats so I think code-behind will look like:
error_reporting(0); // hidden PHP's error.
if(isset($_GET['p'])) {
$file=$_GET['p'].'.php';
if(!file_exists($file)){
if (!strpos($file,"filter")) {
$file='index.php';
}
}
-So, I used php://filter to read code-behind of index site.
You can refer to: https://hakin9.org/web-application-penetration-testing-local-file-inclusion-lfi-testing/
My Payload is: http://chall04-web01.wargame.whitehat.vn/?p=php://filter/convert.base64-encode/resource=index
After that: I decode the first line by base64decode.org and I have code php:
And now, I see a file accounts.php so I use payload http://chall04-web01.wargame.whitehat.vn/?p=php://filter/convert.base64-encode/resource=accounts to get the contents of the file acconuts.
After decode the base64-code I have account to login website:
-After login website, I saw a link: http://chall04-web01.wargame.whitehat.vn/detail.php?pet=pet01 so I think it may be vulnerable to sql injection vulnerabilities.
So I attacked sql injection and I saw:
I think it filter out the spaces. So, I attack sql injection bypass filter out the spaces.
I found the database() is petworld, the table in the petworld database is Flag.
Finally, I found the flag in the Flag table.
The Flag is: Where_there_is_a_will,_there_is_a_way.
