Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The challenge to solve:
- This is the code we know is on the server:
- <?php
- define('SYS_CON', 'dc877c9decfce360db824b8b2a385500816030be6e33dc770d77dffbf25addfe');
- define('SYS_VER', 'b9e39ffdadb649289db6e601dc1e1f642cf6673c8908cdd24181a657cc68db8e');
- define('SYS_AUT', '05a4d9e259fc3d11d997e521addb6be1cb8752e7f99339324f02d74f50f0254c');
- //include("includes/anti_rfi.php"); //rfi is forbidden!!!!!
- function x___1_k($l){$s=array();for($i=0;$i< strlen($l);$i++){array_push($s,substr($l,$i,1));}return $s;}
- function x__3_h($k){$m="";foreach($k AS $x){$m.=$x;}return $m;}
- $inc = $_GET['file'];
- require_once(x__3_h(x___1_k($inc)).'.html');
- ?>
- That is all we know. We are trying to accomplish Remote Code Execution. Using RFI or LFI to accomplish it is not allowed.
- We also have a sample php.ini code that is installed on remote server:
- ;;;;;;;;;;;;;;;;
- ; File Uploads ;
- ;;;;;;;;;;;;;;;;
- ; Whether to allow HTTP file uploads.
- ; http://php.net/file-uploads
- file_uploads = On
- ; Temporary directory for HTTP uploaded files (will use system default if not
- ; specified).
- ; http://php.net/upload-tmp-dir
- ;upload_tmp_dir =
- ; Maximum allowed size for uploaded files.
- ; http://php.net/upload-max-filesize
- upload_max_filesize = 2M
- ;;;;;;;;;;;;;;;;;;
- ; Fopen wrappers ;
- ;;;;;;;;;;;;;;;;;;
- ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
- ; http://php.net/allow-url-fopen
- allow_url_fopen = On
- ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
- ; http://php.net/allow-url-include
- allow_url_include = On
- ; Define the anonymous ftp password (your email address). PHP's default setting
- ; for this is empty.
- ; http://php.net/from
- ;from="john@doe.com"
- ; Define the User-Agent string. PHP's default setting for this is empty.
- ; http://php.net/user-agent
- ;user_agent="PHP"
- ; Default timeout for socket based streams (seconds)
- ; http://php.net/default-socket-timeout
- default_socket_timeout = 60
- ; If your scripts have to deal with files from Macintosh systems,
- ; or you are running on a Mac and need to deal with files from
- ; unix or win32 systems, setting this flag will cause PHP to
- ; automatically detect the EOL character in those files so that
- ; fgets() and file() will work regardless of the source of the file.
- ; http://php.net/auto-detect-line-endings
- ;auto_detect_line_endings = Off
- ;;;;;;;;;;;;;;;;;;;;;;
- ; Dynamic Extensions ;
- ;;;;;;;;;;;;;;;;;;;;;;
- ; If you wish to have an extension loaded automatically, use the following
- ; syntax:
- ;
- ; extension=modulename.extension
- ;
- ; For example, on Windows:
- ;
- ; extension=msql.dll
- ;
- ; ... or under UNIX:
- ;
- ; extension=msql.so
- ;
- ; ... or with a path:
- ;
- ; extension=/path/to/extension/msql.so
- ;
- ; If you only provide the name of the extension, PHP will look for it in its
- ; default extension directory.
- ;
- ; Windows Extensions
- ; Note that ODBC support is built in, so no dll is needed for it.
- ; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
- ; extension folders as well as the separate PECL DLL download (PHP 5).
- ; Be sure to appropriately set the extension_dir directive.
- ;
- ;extension=php_bz2.dll
- ;extension=php_curl.dll
- ;extension=php_dba.dll
- ;extension=php_exif.dll
- ;extension=php_fileinfo.dll
- ;extension=php_gd2.dll
- ;extension=php_gettext.dll
- ;extension=php_gmp.dll
- ;extension=php_intl.dll
- ;extension=php_imap.dll
- ;extension=php_interbase.dll
- ;extension=php_ldap.dll
- ;extension=php_mbstring.dll
- ;extension=php_ming.dll
- ;extension=php_mssql.dll
- ;extension=php_mysql.dll
- ;extension=php_mysqli.dll
- ;extension=php_oci8.dll ; Use with Oracle 10gR2 Instant Client
- ;extension=php_oci8_11g.dll ; Use with Oracle 11g Instant Client
- ;extension=php_openssl.dll
- ;extension=php_pdo_firebird.dll
- ;extension=php_pdo_mssql.dll
- ;extension=php_pdo_mysql.dll
- ;extension=php_pdo_oci.dll
- ;extension=php_pdo_odbc.dll
- ;extension=php_pdo_pgsql.dll
- ;extension=php_pdo_sqlite.dll
- ;extension=php_pgsql.dll
- ;extension=php_phar.dll
- ;extension=php_pspell.dll
- ;extension=php_shmop.dll
- ;extension=php_snmp.dll
- ;extension=php_soap.dll
- ;extension=php_sockets.dll
- ;extension=php_sqlite.dll
- ;extension=php_sqlite3.dll
- ;extension=php_sybase_ct.dll
- ;extension=php_tidy.dll
- ;extension=php_xmlrpc.dll
- ;extension=php_xsl.dll
- ;extension=php_zip.dll
- extension="zip.so"
- extension="sqlite.so"
- extension="radius.so"
- extension="pgsql.so"
- ; disabled in XAMPP 1.7.2 because incompatible with PHP 5.3.0
- ;extension="dbx.so"
- extension="ming.so"
- ;extension="dio.so"
- ;extension="interbase.so"
- ; disabled in XAMPP 1.7.2 because incompatible with PHP 5.3.0
- ;extension="eaccelerator.so"
- ;eaccelerator.shm_size="16"
- ;eaccelerator.cache_dir="/opt/lampp/tmp/eaccelerator"
- ;eaccelerator.enable="1"
- ;eaccelerator.optimizer="1"
- ;eaccelerator.check_mtime="1"
- ;eaccelerator.debug="0"
- ;eaccelerator.filter=""
- ;eaccelerator.shm_max="0"
- ;eaccelerator.shm_ttl="0"
- ;eaccelerator.shm_prune_period="0"
- ;eaccelerator.shm_only="0"
- ;eaccelerator.compress="1"
- ;eaccelerator.compress_level="9"
- ;oci8mark
- ;;;;;;;;;;;;;;;;;;;
- ; Module Settings ;
- ;;;;;;;;;;;;;;;;;;;
- [Date]
- ; Defines the default timezone used by the date functions
- ; http://php.net/date.timezone
- date.timezone = Europe/Berlin
- ; http://php.net/date.default-latitude
- ;date.default_latitude = 31.7667
- ; http://php.net/date.default-longitude
- ;date.default_longitude = 35.2333
- ; http://php.net/date.sunrise-zenith
- ;date.sunrise_zenith = 90.583333
- ; http://php.net/date.sunset-zenith
- ;date.sunset_zenith = 90.583333
- [filter]
- ; http://php.net/filter.default
- ;filter.default = unsafe_raw
- ; http://php.net/filter.default-flags
- ;filter.default_flags =
- [iconv]
- ;iconv.input_encoding = ISO-8859-1
- ;iconv.internal_encoding = ISO-8859-1
- ;iconv.output_encoding = ISO-8859-1
- [intl]
- ;intl.default_locale =
- [sqlite]
- ; http://php.net/sqlite.assoc-case
- ;sqlite.assoc_case = 0
- [sqlite3]
- ;sqlite3.extension_dir =
- [Pcre]
- ;PCRE library backtracking limit.
- ; http://php.net/pcre.backtrack-limit
- ;pcre.backtrack_limit=100000
- ;PCRE library recursion limit.
- ;Please note that if you set this value to a high number you may consume all
- ;the available process stack and eventually crash PHP (due to reaching the
- ;stack size limit imposed by the Operating System).
- ; http://php.net/pcre.recursion-limit
- ;pcre.recursion_limit=100000
- [Pdo]
- ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
- ; http://php.net/pdo-odbc.connection-pooling
- ;pdo_odbc.connection_pooling=strict
- ;pdo_odbc.db2_instance_name
- [Pdo_mysql]
- ; If mysqlnd is used: Number of cache slots for the internal result set cache
- ; http://php.net/pdo_mysql.cache_size
- pdo_mysql.cache_size = 2000
- ; Default socket name for local MySQL connects. If empty, uses the built-in
- ; MySQL defaults.
- ; http://php.net/pdo_mysql.default-socket
- pdo_mysql.default_socket=
- [Phar]
- ; http://php.net/phar.readonly
- ;phar.readonly = On
- ; http://php.net/phar.require-hash
- ;phar.require_hash = On
- ;phar.cache_list =
- [Syslog]
- ; Whether or not to define the various syslog variables (e.g. $LOG_PID,
- ; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In
- ; runtime, you can define these variables by calling define_syslog_variables().
- ; http://php.net/define-syslog-variables
- define_syslog_variables = Off
- [mail function]
- ; For Win32 only.
- ; http://php.net/smtp
- SMTP = localhost
- ; http://php.net/smtp-port
- smtp_port = 25
- ; For Win32 only.
- ; http://php.net/sendmail-from
- ;sendmail_from = me@example.com
- ; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
- ; http://php.net/sendmail-path
- ;sendmail_path =
- ; Force the addition of the specified parameters to be passed as extra parameters
- ; to the sendmail binary. These parameters will always replace the value of
- ; the 5th parameter to mail(), even in safe mode.
- ;mail.force_extra_parameters =
- ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
- mail.add_x_header = On
- ; Log all mail() calls including the full path of the script, line #, to address and headers
- ;mail.log =
- /////////////
- End of php.ini file. The answer to the challenge is supposed to be in it...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement