Websec

Websec.fr Level 17

The code for level17 is here. <?php include "flag.php"; function sleep_rand() { /* I wish php5 had random_int() */ $range = 100000; $bytes = (int) (log($range, 2) / 8) + 1; do { /* Side effect: more random cpu cycles wasted ;) */ $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes))); } while ($rnd >= $range); usleep($rnd); } ?> <!DOCTYPE html> <html> ....... <?php if (isset ($_POST['flag'])): sleep_rand(); /* This makes timing-attack impractical. */ ?> <br> <div class="container"> <div class="row"> <?php if (! strcasecmp ($_POST['flag'], $flag)) echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>'; else echo '<div class="alert alert-danger">Invalid flag, sorry.</div>'; ?> </div> </div> <?php endif ?> ........ </html> After reading the code, we can ignore the first part of the PHP code because it’s impossible to break this function. But in the second part, the only thing that can lead to a vulnerability is strcasecmp. This function checks if the input matches the flag. Reading strcasecmp php documentation we can see that :

Websec.fr Level 08

The source code of level8 is here. <?php $uploadedFile = sprintf('%1$s/%2$s', '/uploads', sha1($_FILES['fileToUpload']['name']) . '.gif'); if (file_exists ($uploadedFile)) { unlink ($uploadedFile); } if ($_FILES['fileToUpload']['size'] <= 50000) { if (getimagesize ($_FILES['fileToUpload']['tmp_name']) !== false) { if (exif_imagetype($_FILES['fileToUpload']['tmp_name']) === IMAGETYPE_GIF) { move_uploaded_file ($_FILES['fileToUpload']['tmp_name'], $uploadedFile); echo '<p class="lead">Dump of <a href="/level08' . $uploadedFile . '">'. htmlentities($_FILES['fileToUpload']['name']) . '</a>:</p>'; echo '<pre>'; include_once($uploadedFile); echo '</pre>'; unlink($uploadedFile); } else { echo '<p class="text-danger">The file is not a GIF</p>'; } } else { echo '<p class="text-danger">The file is not an image</p>'; } } else { echo '<p class="text-danger">The file is too big</p>'; } ?> With this code we have 2 problems to bypass:

websec file-upload

Websec.fr Level 04

For the Level Four challenge, there are two sources: here and here. Only the PHP code is shown here because the HTML is not important. source1.php <?php include 'connect.php'; $sql = new SQL(); $sql->connect(); $sql->query = 'SELECT username FROM users WHERE id='; if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64 _decode ($_COOKIE['leet_hax0r'])); try { if (is_array($sess_data) && $sess_data['ip'] != $_SERVER['REMOTE_ADDR']) { die('CANT HACK US!!!'); } } catch(Exception $e) { echo $e; } } else { $cookie = base64_encode (serialize (array ( 'ip' => $_SERVER['REMOTE_ADDR']))) ; setcookie ('leet_hax0r', $cookie, time () + (86400 * 30)); } if (isset ($_REQUEST['id']) && is_numeric ($_REQUEST['id'])) { try { $sql->query .= $_REQUEST['id']; } catch(Exception $e) { echo ' Invalid query'; } } ?> source2.php

websec insecure-deserialization

Websec.fr Level 02

The source code for level2 is here. <?php ini_set('display_errors', 'on'); class LevelTwo { public function doQuery($injection) { $pdo = new SQLite3('leveltwo.db', SQLITE3_OPEN_READONLY); $searchWords = implode (['union', 'order', 'select', 'from', 'group', 'by'], '|'); $injection = preg_replace ('/' . $searchWords . '/i', '', $injection); $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1'; $getUsers = $pdo->query ($query); $users = $getUsers->fetchArray (SQLITE3_ASSOC); if ($users) { return $users; } return false; } } if (isset ($_POST['submit']) && isset ($_POST['user_id'])) { $lt = new LevelTwo (); $userDetails = $lt->doQuery ($_POST['user_id']); } ?> <!DOCTYPE html> <html> .... </html> We can see that these two lines were problematic, all words in this dictionary are removed from the payload.

Websec.fr Level 01

Websec.fr Level 1 level01 - 1 point - 2564 solves The source code for level1 is shown here. Only the PHP code is included because the vulnerability is only in the PHP code. <?php session_start (); ini_set('display_errors', 'on'); ini_set('error_reporting', E_ALL); include 'anti_csrf.php'; init_token (); class LevelOne { public function doQuery($injection) { $pdo = new SQLite3('database.db', SQLITE3_OPEN_READONLY); $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1'; $getUsers = $pdo->query($query); $users = $getUsers->fetchArray(SQLITE3_ASSOC); if ($users) { return $users; } return false; } } if (isset ($_POST['submit']) && isset ($_POST['user_id'])) { check_and_refresh_token(); $lo = new LevelOne (); $userDetails = $lo->doQuery ($_POST['user_id']); } ?> <!DOCTYPE html> <html> ........ </html> The problem here is this line $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1'; it’s a sqli .

Tedsig42

Another infosec enthusiast blog

A Rap / Classic Album that i ❤️

Caballero & Jeanjass - ZushiBoyz vol.4 - Edition exclusive (avec OBI).png

Caballero & Jeanjass - ZushiBoyz vol.4 - Edition exclusive (avec OBI)

Rounhaa - Jaafar.jpeg

Rounhaa - Jaafar

ZushiBoyz vol.3 - Edition exclusive (avec OBI).png

ZushiBoyz vol.3 - Edition exclusive (avec OBI)

Absolem - Les yeux grands fermés.jpg

Absolem - Les yeux grands fermés

Al-Walid - Sarman??.jpg

Al-Walid - Sarman??

Alpha Wann - Don Dada Mixtape.jpeg

Alpha Wann - Don Dada Mixtape

Alpha Wann - UMLA.webp

Alpha Wann - UMLA

Beeby - Gaia.jpg

Beeby - Gaia

Beeby - Morningstar.jpg

Beeby - Morningstar

Beeby - UN GRAND CŒUR DANS UN MONDE DE FILS DE PUTE.jpg

Beeby - UN GRAND CŒUR DANS UN MONDE DE FILS DE PUTE

Bushi - Bushi Tape 3.jpg

Bushi - Bushi Tape 3

Caballero & Jeanjass - DOuble Helice 3.jpg

Caballero & Jeanjass - DOuble Helice 3

Caballero & Jeanjass - High & Fines Herbes.jpg

Caballero & Jeanjass - High & Fines Herbes

Caballero & Jeanjass - Zushiboyz Vol .1.jpg

Caballero & Jeanjass - Zushiboyz Vol .1

Caballero & Jeanjass - Zushiboyz Vol.2.jpg

Caballero & Jeanjass - Zushiboyz Vol.2

Caballero - Dose Heroique.webp

Caballero - Dose Heroique

Chavi & Guydelafonsdal - Chavidelafonsdal.jpeg

Chavi & Guydelafonsdal - Chavidelafonsdal

Damso - Batterie Faible.jpg

Damso - Batterie Faible

Damso - Ipseite.jpg

Damso - Ipseite

Damso - Lithopedion.jpg

Damso - Lithopedion

Damso - QALF.jpg

Damso - QALF

Deen Burbigo - Cercle Vertueux.jpg

Deen Burbigo - Cercle Vertueux

Deen Burbigo - OG SAN 1.jpg

Deen Burbigo - OG SAN 1

Deen Burbigo -OG SAN 2.jpg

Deen Burbigo -OG SAN 2

Dimeh - OV3.jpg

Dimeh - OV3

GAL - Du Caviar Pour Mon Chien.jpeg

GAL - Du Caviar Pour Mon Chien

GAL - JeuneBeurdelafontaine vol2.jpeg

GAL - JeuneBeurdelafontaine vol2

HJeuneCrack - 2eme Mouvement.jpeg

HJeuneCrack - 2eme Mouvement

HJeuneCrack - La Pieuvre.jpg

HJeuneCrack - La Pieuvre

HJeuneCrack - Matiere Premiere.jpg

HJeuneCrack - Matiere Premiere

HJeunecrack - 1er Mouvement.jpg

HJeunecrack - 1er Mouvement

HJeunecrack - 3eme Cycle.jpg

HJeunecrack - 3eme Cycle

Hamza -1994.jpg

Hamza -1994

Hamza -Paradise.jpg

Hamza -Paradise

Huntrill - LE BRUIT DE LA MACHINE A BILLETS .jpg

Huntrill - LE BRUIT DE LA MACHINE A BILLETS

Huntrill - Replica 2.jpeg

Huntrill - Replica 2

Infinit - 888.jpg

Infinit - 888

Infinit - Ma vie est un film 2.jpg

Infinit - Ma vie est un film 2

Infinit - Mr Le Faire.jpg

Infinit - Mr Le Faire

Isha & Limsa D'Aulnay - Bitume caviar.jpg

Isha & Limsa D'Aulnay - Bitume caviar

JUngle Jack - Jungle des illusions Vol 2.jpg

JUngle Jack - Jungle des illusions Vol 2

JeanJass - Goldman.png

JeanJass - Goldman

Jeanjass - Doudoune en été.png

Jeanjass - Doudoune en été

Jeanjass - Tous ces ongles rongés .jpg

Jeanjass - Tous ces ongles rongés

Jok'AIr - Jok'Rambo.jpg

Jok'AIr - Jok'Rambo

Jok'Air - Jok'Chirac.jpg

Jok'Air - Jok'Chirac

Jok'Air - Jok'Travolta.jpg

Jok'Air - Jok'Travolta

Jok'Air - New Jok City.jpg

Jok'Air - New Jok City

Josman - J.000.$.jpg

Josman - J.000.$

Josman - J.O.$.jpg

Josman - J.O.$

Josman - M.A.N (Black Roses & Lost Feelings).jpg

Josman - M.A.N (Black Roses & Lost Feelings)

Josman - MYSTR J.O.$.jpg

Josman - MYSTR J.O.$

Josman - SPLIT.png

Josman - SPLIT

Jungle Jack - Cognacs et Cigarette.jpg

Jungle Jack - Cognacs et Cigarette

Jungle Jack - Creamland.png

Jungle Jack - Creamland

Jungle Jack - Jungle des illusions.jpg

Jungle Jack - Jungle des illusions

Juwel Usain - Ou les garcons grandissent.jpg

Juwel Usain - Ou les garcons grandissent

Keroue - Candella.jpg

Keroue - Candella

Keroue - Record.webp

Keroue - Record

Keroue - Scope.jpg

Keroue - Scope

LaFeve - 24.jpg

LaFeve - 24

LaFeve - ERRR.jpg

LaFeve - ERRR

Le Monde Daho - Le Monde 00.jpg

Le Monde Daho - Le Monde 00

Ledouble & Guydelafonsdal - LeDoubledelafonsdal.jpeg

Ledouble & Guydelafonsdal - LeDoubledelafonsdal

Lefa - Fame.jpg

Lefa - Fame

Lefa -3 du mat.jpg

Lefa -3 du mat

Lefa-DMNR

Luidji - Boscolo Exedra.jpg

Luidji - Boscolo Exedra

Luidji - Saison 00.png

Luidji - Saison 00

Luidji - Tristesse Business.jpg

Luidji - Tristesse Business

Luther - EXIT.jpeg

Luther - EXIT

Luther - Garçon.jpg

Luther - Garçon

Mairo - Omar Chappier.png

Mairo - Omar Chappier

Mairo - Dejeuner en paix.jpg

Mairo - Dejeuner en paix

Mairo, H JeuneCrack - La solution.png

Mairo, H JeuneCrack - La solution

Makala - Chaos Kiss.jpg

Makala - Chaos Kiss

Makala - Radio Suicide.jpg

Makala - Radio Suicide

Makala - Yamoto.jpg

Makala - Yamoto

Nekfeu - LEV.jpg

Nekfeu - LEV

Nepal - Adios Bahamas.jpg

Nepal - Adios Bahamas

Nes - CQSS

Nes - LA COURSE.jpg

Nes - LA COURSE

Nes - Pour 2 VRAI.jpg

Nes - Pour 2 VRAI

Nes - ÇA VA ALLER .jpg

Nes - ÇA VA ALLER

Nujabes - MetaphoricalMusic.jpg

Nujabes - MetaphoricalMusic

Nujabes - Modal Music.jpg

Nujabes - Modal Music

Nujabes - departure.jpg

Nujabes - departure

OgLounis & Guydelafonsdal - OgLounisdelafonsdal.png

OgLounis & Guydelafonsdal - OgLounisdelafonsdal

Oglounis - HARD LAIDBACKING BEFORE.jpg

Oglounis - HARD LAIDBACKING BEFORE

Prince Wally - Moussa.jpg

Prince Wally - Moussa

Romeo Elvis - Chocolat.webp

Romeo Elvis - Chocolat

Romeo Elvis - Tout Peut Arriver.jpg

Romeo Elvis - Tout Peut Arriver

Romeo Elvis Morale.webp

Romeo Elvis Morale

Selug & Kyo Itachi - TATAKAE.jpeg

Selug & Kyo Itachi - TATAKAE

Slimka - Le Grand Mystico.jpg

Slimka - Le Grand Mystico

Tisma & Guydelafonsdal - Tismadelafonsdal.jpeg

Tisma & Guydelafonsdal - Tismadelafonsdal

Toothpick & Guydelafonsdal - Toothpickdelafonsdal.jpeg

Toothpick & Guydelafonsdal - Toothpickdelafonsdal

Toothpick - JEUNE LIFTIER.webp

Toothpick - JEUNE LIFTIER

Toothpick x 3.14 - No Casquette Vol.1.webp

Toothpick x 3.14 - No Casquette Vol.1

Vald - Agartha.jpg

Vald - Agartha

Vald - Ce Monde Est Cruel.jpeg

Vald - Ce Monde Est Cruel

Vald - V

Yvnnis - NOVAE.jpg

Yvnnis - NOVAE

Zushiboyz (Info).jpg

Zushiboyz (Info)

a5el - Mercenaire.jpeg

a5el - Mercenaire

okis & Mani Deïz - Rêve d'un rouilleur.jpg

okis & Mani Deïz - Rêve d'un rouilleur