Academy - WEB ATTACKS module - Bypassing Security Filters

Hi,
I have a strange problem - I’m unable to complete one of the sections for web attack module.
I’ve almost finished all sections, but one called ‘Bypassing Security Filters’. It is simply is not working for me at all. I suspect there is some bug or misleading in the section description. So, I’d like to ask someone for PM to check, if their approach is the same and if it works for them.

The Problem:
I can’t bypass the BE filter to do command injection in any way (I tried all HTTP methods)

I used the task description as a lead how I tackle the problem. It usually works ok most of the time without breaking the flow. But this one is a) misleading b) there is a bug.

Content of the task description:
To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

So e.g. I tried literally (encoded and non-encoded versions)
GET /index.php?filename=file%3bcp+/flag.txt+./
POST /index.php?filename=file%3bcp+/flag.txt+./

Same for different filenames
Basically this is what I expect e.g. should work
HEAD /index.php?filename=file%3b → (or decoded /index.php?filename=file; )

Other info:
I tried HTB support, but that was not helpful at all. I’m not even sure if they understood what is my problem.

That exercise is clear to me. I understand the content and aim for the exercise. Basically I need to switch HTTP method to different one and content for the payload won’t be checked due to insecure coding approach. … At least that is what I expect from the exercise according to its content and the task description.

Why broken?
My assumption that it gets broken for me is based on the different behavior - observed by myself vs described in the source material

e.g. My initial triggering method for uploading the file in the exercise machine is GET, not POST. But content of the code from the exercise is this (taken from section Verb Tampering Prevention)

if (isset($_REQUEST['filename'])) {
    if (!preg_match('/[^A-Za-z0-9. _-]/', $_POST['filename'])) {
        system("touch " . $_REQUEST['filename']);
    } else {
        echo "Malicious Request Denied!";
    }
}

Now, when I try something really simple - e.g.
POST / HEAD/ PUT etc /index.php?filename=file%3b
file won’t be created, and I see Malicious Request Denied! but it should pass. Whole exercise is focused on HTTP verb tambering - not code injections. So I assume this simple example should be ok according to the section desc.

Can somebody tackle it together with me?

Hey dude,

Definitely feel free to reach out to me. Out of curiosity, when you change the request method from GET to POST, are you also changing how you deliver the data?

When I look at both of these, the POST request would be wrong because it shouldn’t have the parameters in the url like that, make sure that you right click and use the change request method because it automatically formats it. Or you would have to manually put the parameters after the header and scrub them from the top.

Regardless, feel free to reach out.
-onthesauce

3 Likes

Man, thanks you from my hearth :slight_smile: that was the issue. I was not aware of it and I assumed the same format. Solved :slight_smile:

This may be possibly the thing I missed in the ‘skill assessment section’. Great hint!

1 Like

No problem at all! I think I hit the same issue when I attempted that question.

Glad you got it!
-onthesauce

In repeater, right click the request and hit “Change request method.”

So simple, yet it stumped me for a bit!

John