Hi,
I have a strange problem - I’m unable to complete one of the sections for web attack module.
I’ve almost finished all sections, but one called ‘Bypassing Security Filters’. It is simply is not working for me at all. I suspect there is some bug or misleading in the section description. So, I’d like to ask someone for PM to check, if their approach is the same and if it works for them.
The Problem:
I can’t bypass the BE filter to do command injection in any way (I tried all HTTP methods)
I used the task description as a lead how I tackle the problem. It usually works ok most of the time without breaking the flow. But this one is a) misleading b) there is a bug.
Content of the task description:
To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./
So e.g. I tried literally (encoded and non-encoded versions)
GET /index.php?filename=file%3bcp+/flag.txt+./
POST /index.php?filename=file%3bcp+/flag.txt+./
…
Same for different filenames
Basically this is what I expect e.g. should work
HEAD /index.php?filename=file%3b → (or decoded /index.php?filename=file; )
Other info:
I tried HTB support, but that was not helpful at all. I’m not even sure if they understood what is my problem.
That exercise is clear to me. I understand the content and aim for the exercise. Basically I need to switch HTTP method to different one and content for the payload won’t be checked due to insecure coding approach. … At least that is what I expect from the exercise according to its content and the task description.
Why broken?
My assumption that it gets broken for me is based on the different behavior - observed by myself vs described in the source material
e.g. My initial triggering method for uploading the file in the exercise machine is GET, not POST. But content of the code from the exercise is this (taken from section Verb Tampering Prevention
)
if (isset($_REQUEST['filename'])) {
if (!preg_match('/[^A-Za-z0-9. _-]/', $_POST['filename'])) {
system("touch " . $_REQUEST['filename']);
} else {
echo "Malicious Request Denied!";
}
}
Now, when I try something really simple - e.g.
POST / HEAD/ PUT etc /index.php?filename=file%3b
file won’t be created, and I see Malicious Request Denied!
but it should pass. Whole exercise is focused on HTTP verb tambering - not code injections. So I assume this simple example should be ok according to the section desc.
Can somebody tackle it together with me?