1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84

<?php
# Higlighter Plain
if (isset($_GET['show']) && $_GET['show'] === 'source')
{
        header('Content-Type: text/plain; charset=utf8;');        echo file_get_contents('index.php');
        die();
}
 
# Change dir to web rootchdir('../../../../../');
 
# Print the website header
define('GWF_PAGE_TITLE', 'Local File Inclusion');
require_once('challenge/html_head.php');if (false === ($chall = WC_Challenge::getByTitle('Training: PHP LFI'))) {
        $chall = WC_Challenge::dummyChallenge('Training: PHP LFI', 2, 'challenge/training/php/lfi/up/index.php', false);
}
$chall->showHeader();
  
# Highlighter BBCode
if (isset($_GET['highlight']) && $_GET['highlight'] === 'christmas')
{
        echo GWF_Message::display('[PHP]'.file_get_contents($_SERVER['SCRIPT_FILENAME']).'');        require_once('challenge/html_foot.php');
        return;
}
 
################################## Here is your exploit :) ###
###############################
$code = '$filename = \'pages/\'.(isset($_GET["file"])?$_GET["file"]:"welcome").\'.html\';';
$code_emulate_pnb = '$filename = Common::substrUntil($filename, "\\0");'; # Emulate Poison Null Byte for PHP>=5.3.4
$code2 = 'include $filename;';### End of exploit ###
 
# Show the mission box
$url = 'index.php?file=';
$ex = array('welcome', 'news', 'forums');$showsrc1 = 'index.php?show=source';
$showsrc2 = 'index.php?highlight=christmas';
foreach ($ex as $i => $e) { $ex[$i] = htmlspecialchars($url.$e); }
echo GWF_Box::box($chall->lang('info', array(GWF_Message::display('[PHP]'.$code.PHP_EOL.$code2.''), '../solution.php', $showsrc1, $showsrc2, $ex[0], $ex[1], $ex[2])), $chall->lang('title'));
 # Execute the code, using eval.
GWF_Debug::setDieOnError(false);
GWF_Debug::setMailOnError(false);
eval($code.$code_emulate_pnb); # eval the first line
 echo '<div class="box">'.PHP_EOL;
echo '<div class="box_t">'.$chall->lang('example_title').' ('.htmlspecialchars($filename).')'.'</div>'.PHP_EOL;
echo '<div class="box_c">'.PHP_EOL;
if (lfiIsSafeDir($filename) === true) { eval($code2); } # Eval the second line, when safe.
else { echo GWF_HTML::error('LFI', $chall->lang('err_basedir'), false); }echo '</div>'.PHP_EOL;
echo '</div>'.PHP_EOL;
GWF_Debug::setMailOnError(true);
GWF_Debug::setDieOnError(true);
 # Show credits box
if (false !== ($minus = GWF_User::getByName('minus')))
{
        echo GWF_Box::box($chall->lang('credits', array($minus->displayProfileLink())));
} 
# Show end of website
echo $chall->copyrightFooter();
require_once('challenge/html_foot.php');
  
### Safety first ###
function lfiIsSafeDir($filename)
{
        $valid = array(                'pages',
                'pages/../..',
                'pages/..',
        );
        $d = dirname($filename);        return in_array($d, $valid, true);
}
?>