Username: 
Password: 
Restrict session to IP 
Questions  |  score: 4  |  4.06 5.76 5.46 |  Solved By 796 People  |  59930 views  |  since Jun 16, 2009 - 09:14:35

PHP 0816 (Exploit, PHP)

Description
Your mission is to read solution.php by exploiting the highlighter script.
Again, you will get the source of the current script in action.
Below are three links as example how to use my nice highlighter script.
Good luck.
GeSHi`ed php code for code.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84
8586
87
88
89
9091
92
93
94
9596
97
98
99
100101
102
103
104
105106
107
108
109
110111
112
113
114
115116
117
118
119
120121
122
123
124
125126
127
128
129
130131
132
133
134
135136
137
138
139
<?php
$cwd = getcwd();
chdir('../../');
require_once('challenge/html_head.php');
html_head('PHP0816 Challenge - The Highlighter');chdir($cwd);
 
# globals
global $highlights;
$highlights = array(); 
/**
 * Parse the GET parameters.
 */
foreach ($_GET as $key => $value){
        if ($key === 'src') {
                php0816SetSourceFile($value);
        }
        elseif ($key === 'mode') {                php0816execute($value);
        }
        elseif ($key === 'hl') {
                php0816addHighlights($value);
        }}
 
 
/**
 * Make magic quotes off ! * (it is really defined in /include/util/Class_Common.php and will deprecate soon)
 * (also you can look on the html_head() stuff, etc. WeChall source is public domain)
 * (if you like a hint: There is a main logical error in this script, applies to all programming languages, not only php. H4\/3: |>  |-|  |_|  |\|)
 */
/*final class Common
{
        public function getGet($varname, $default=false)
        {
                if (!isset($_GET[$varname])) {                        return $default;
                }
                return 
                        get_magic_quotes_gpc() > 0 ?
                                stripslashes($_GET[$varname]) :                                $_GET[$varname];
        }
}
*/
/** * Set the text file to show.
 * Sanitize Get Parameter.
 * Only allow 3 different files by whitelist at the moment.
 * TODO: broken ?!? people can see other files ! :(
 * @param $filename string - the filename * @return void
 */
function php0816SetSourceFile($filename)
{
        $filename = (string) $filename;        
        static $whitelist = array(
                'test.php',
                'index.php',
                'code.php',        );
 
        # Sanitize by whitelist
        if (!in_array($filename, $whitelist, true))
        {                $_GET['src'] = false;
        }
}
 
/** * Add the highlighter keywords. 
 * @param $keyword array of strings - the highlighting keywords
 * @return void
 */
function php0816addHighlights($keywords){
        global $highlights;
        if (!is_array($keywords)) { return true; }
        
        foreach($keywords as $k)        {
                $highlights[] = $k;
        }
}
 /**
 * Execute action.
 * Currently only hl is known.
 * @param $mode
 * @return void */
function php0816execute($mode)
{
        switch($mode)
        {                case 'hl': php0816Highlighter(); break;
        }
}
 
/** * Call the highlighter :)
 * sweeeeet.
 * @return void
 */
function php0816Highlighter(){
        global $highlights; # <-- global highlights :D
        
        # SOMEONE SAID THIS WILL FIX IT, BUT PEOPLE CAN STILL SEE solution.php :(  #
        $filename = str_replace(array('/', '\\', '..'), '', Common::getGet('src'));#        
        if (false === ($text = @file_get_contents($filename)))
        {
                echo '<div>File not Found: '.htmlspecialchars($filename, ENT_QUOTES).'</div>';
                return false;        }
        
        $text = htmlspecialchars($text, ENT_QUOTES);
 
        foreach ($highlights as $highlight)        {
                $stlye = 'color:#CD7F32; background-color:white; padding: 0 8px;'; 
                $text = str_replace($highlight, '<b style="'.$stlye.'">'.$highlight.'</b>', $text);
        }
                echo '<pre>'.$text.'</pre>';
}
 
$cwd = getcwd();
chdir('../../');require_once('challenge/html_foot.php');
chdir($cwd);
?>
 
Your solution for PHP 0816
Answer
© 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by Gizmore