Description: You are confronted with a website that loads some .txt files to display content for its pages. You are thinking that it may be vulnerable. You aim to load a nice file from a remote server and share the link with unsuspecting visitors.
Your task is to successfully load a PHP file located in the root of infosecinstitute.com. The file should not exist but you must load it without getting errors and it must have the PHP file extension.
Vulnerability: OWASP A4 Insecure Direct Object References
It seems they have a regular expression in place. How restrictive it actually is?
Insecure Direct Object References exists because of an applications frequently use the actual name or key of an object when generating web pages and applications don’t always verify the user is authorized for the target object. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Based on the description let’s hack the web :p
The web is simple only have a description and three link for Bio, Client, and About, the three link is
Bio Link – http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file1.txt
Client Link – http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file2.txt
About Link – http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file3.txt
That seem vulnerable on “ex4.php?file=” On main page you have been told to load a php web page that located in the root of infosecinstitute.com, so I put
and the result is
invalid file selected
so I change to
came with the error but different message
There is something else that you must do.
It seem the file must be file1.txt and I change with “ex4.php?file=infosecinstitute.com/file1.php”, and the error back to first error, then I add “infosecinstitute.com/file1.txt.php”
the error back to second message, so I check for the hint, and I forget to add http on infosecinstitute.com, so I add ex4.php?file=http://infosecinstitute.com/file1.txt.php, still not working, then i read and read the hint again, it said case sensitive, so I change to
And boom, pass :d
Resources and Tools:
1. OWASP A4 Insecure Direct Object References – https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References