SHARE
TWEET

aa

a guest Feb 9th, 2011 434 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The challenge to solve:
  2.  
  3. This is the code we know is on the server:
  4.  
  5. <?php
  6. define('SYS_CON', 'dc877c9decfce360db824b8b2a385500816030be6e33dc770d77dffbf25addfe');
  7. define('SYS_VER', 'b9e39ffdadb649289db6e601dc1e1f642cf6673c8908cdd24181a657cc68db8e');
  8. define('SYS_AUT', '05a4d9e259fc3d11d997e521addb6be1cb8752e7f99339324f02d74f50f0254c');
  9. //include("includes/anti_rfi.php"); //rfi is forbidden!!!!!
  10. function x___1_k($l){$s=array();for($i=0;$i< strlen($l);$i++){array_push($s,substr($l,$i,1));}return $s;}
  11. function x__3_h($k){$m="";foreach($k AS $x){$m.=$x;}return $m;}
  12. $inc = $_GET['file'];
  13. require_once(x__3_h(x___1_k($inc)).'.html');
  14. ?>
  15.  
  16. That is all we know. We are trying to accomplish Remote Code Execution. Using RFI or LFI to accomplish it is not allowed.
  17.  
  18. We also have a sample php.ini code that is installed on remote server:
  19.  
  20. ;;;;;;;;;;;;;;;;
  21. ; File Uploads ;
  22. ;;;;;;;;;;;;;;;;
  23.  
  24. ; Whether to allow HTTP file uploads.
  25. ; http://php.net/file-uploads
  26. file_uploads = On
  27.  
  28. ; Temporary directory for HTTP uploaded files (will use system default if not
  29. ; specified).
  30. ; http://php.net/upload-tmp-dir
  31. ;upload_tmp_dir =
  32.  
  33. ; Maximum allowed size for uploaded files.
  34. ; http://php.net/upload-max-filesize
  35. upload_max_filesize = 2M
  36.  
  37. ;;;;;;;;;;;;;;;;;;
  38. ; Fopen wrappers ;
  39. ;;;;;;;;;;;;;;;;;;
  40.  
  41. ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  42. ; http://php.net/allow-url-fopen
  43. allow_url_fopen = On
  44.  
  45. ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
  46. ; http://php.net/allow-url-include
  47. allow_url_include = On
  48.  
  49. ; Define the anonymous ftp password (your email address). PHP's default setting
  50. ; for this is empty.
  51. ; http://php.net/from
  52. ;from="john@doe.com"
  53.  
  54. ; Define the User-Agent string. PHP's default setting for this is empty.
  55. ; http://php.net/user-agent
  56. ;user_agent="PHP"
  57.  
  58. ; Default timeout for socket based streams (seconds)
  59. ; http://php.net/default-socket-timeout
  60. default_socket_timeout = 60
  61.  
  62. ; If your scripts have to deal with files from Macintosh systems,
  63. ; or you are running on a Mac and need to deal with files from
  64. ; unix or win32 systems, setting this flag will cause PHP to
  65. ; automatically detect the EOL character in those files so that
  66. ; fgets() and file() will work regardless of the source of the file.
  67. ; http://php.net/auto-detect-line-endings
  68. ;auto_detect_line_endings = Off
  69.  
  70. ;;;;;;;;;;;;;;;;;;;;;;
  71. ; Dynamic Extensions ;
  72. ;;;;;;;;;;;;;;;;;;;;;;
  73.  
  74. ; If you wish to have an extension loaded automatically, use the following
  75. ; syntax:
  76. ;
  77. ;   extension=modulename.extension
  78. ;
  79. ; For example, on Windows:
  80. ;
  81. ;   extension=msql.dll
  82. ;
  83. ; ... or under UNIX:
  84. ;
  85. ;   extension=msql.so
  86. ;
  87. ; ... or with a path:
  88. ;
  89. ;   extension=/path/to/extension/msql.so
  90. ;
  91. ; If you only provide the name of the extension, PHP will look for it in its
  92. ; default extension directory.
  93. ;
  94. ; Windows Extensions
  95. ; Note that ODBC support is built in, so no dll is needed for it.
  96. ; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
  97. ; extension folders as well as the separate PECL DLL download (PHP 5).
  98. ; Be sure to appropriately set the extension_dir directive.
  99. ;
  100. ;extension=php_bz2.dll
  101. ;extension=php_curl.dll
  102. ;extension=php_dba.dll
  103. ;extension=php_exif.dll
  104. ;extension=php_fileinfo.dll
  105. ;extension=php_gd2.dll
  106. ;extension=php_gettext.dll
  107. ;extension=php_gmp.dll
  108. ;extension=php_intl.dll
  109. ;extension=php_imap.dll
  110. ;extension=php_interbase.dll
  111. ;extension=php_ldap.dll
  112. ;extension=php_mbstring.dll
  113. ;extension=php_ming.dll
  114. ;extension=php_mssql.dll
  115. ;extension=php_mysql.dll
  116. ;extension=php_mysqli.dll
  117. ;extension=php_oci8.dll      ; Use with Oracle 10gR2 Instant Client
  118. ;extension=php_oci8_11g.dll  ; Use with Oracle 11g Instant Client
  119. ;extension=php_openssl.dll
  120. ;extension=php_pdo_firebird.dll
  121. ;extension=php_pdo_mssql.dll
  122. ;extension=php_pdo_mysql.dll
  123. ;extension=php_pdo_oci.dll
  124. ;extension=php_pdo_odbc.dll
  125. ;extension=php_pdo_pgsql.dll
  126. ;extension=php_pdo_sqlite.dll
  127. ;extension=php_pgsql.dll
  128. ;extension=php_phar.dll
  129. ;extension=php_pspell.dll
  130. ;extension=php_shmop.dll
  131. ;extension=php_snmp.dll
  132. ;extension=php_soap.dll
  133. ;extension=php_sockets.dll
  134. ;extension=php_sqlite.dll
  135. ;extension=php_sqlite3.dll
  136. ;extension=php_sybase_ct.dll
  137. ;extension=php_tidy.dll
  138. ;extension=php_xmlrpc.dll
  139. ;extension=php_xsl.dll
  140. ;extension=php_zip.dll
  141.  
  142. extension="zip.so"
  143.  
  144. extension="sqlite.so"
  145.  
  146. extension="radius.so"
  147.  
  148. extension="pgsql.so"
  149.  
  150. ; disabled in XAMPP 1.7.2 because incompatible with PHP 5.3.0
  151. ;extension="dbx.so"
  152.  
  153. extension="ming.so"
  154.  
  155. ;extension="dio.so"
  156.  
  157. ;extension="interbase.so"
  158.  
  159. ; disabled in XAMPP 1.7.2 because incompatible with PHP 5.3.0
  160. ;extension="eaccelerator.so"
  161. ;eaccelerator.shm_size="16"
  162. ;eaccelerator.cache_dir="/opt/lampp/tmp/eaccelerator"
  163. ;eaccelerator.enable="1"
  164. ;eaccelerator.optimizer="1"
  165. ;eaccelerator.check_mtime="1"
  166. ;eaccelerator.debug="0"
  167. ;eaccelerator.filter=""
  168. ;eaccelerator.shm_max="0"
  169. ;eaccelerator.shm_ttl="0"
  170. ;eaccelerator.shm_prune_period="0"
  171. ;eaccelerator.shm_only="0"
  172. ;eaccelerator.compress="1"
  173. ;eaccelerator.compress_level="9"
  174.  
  175. ;oci8mark
  176.  
  177.  
  178. ;;;;;;;;;;;;;;;;;;;
  179. ; Module Settings ;
  180. ;;;;;;;;;;;;;;;;;;;
  181.  
  182. [Date]
  183. ; Defines the default timezone used by the date functions
  184. ; http://php.net/date.timezone
  185. date.timezone = Europe/Berlin
  186.  
  187. ; http://php.net/date.default-latitude
  188. ;date.default_latitude = 31.7667
  189.  
  190. ; http://php.net/date.default-longitude
  191. ;date.default_longitude = 35.2333
  192.  
  193. ; http://php.net/date.sunrise-zenith
  194. ;date.sunrise_zenith = 90.583333
  195.  
  196. ; http://php.net/date.sunset-zenith
  197. ;date.sunset_zenith = 90.583333
  198.  
  199. [filter]
  200. ; http://php.net/filter.default
  201. ;filter.default = unsafe_raw
  202.  
  203. ; http://php.net/filter.default-flags
  204. ;filter.default_flags =
  205.  
  206. [iconv]
  207. ;iconv.input_encoding = ISO-8859-1
  208. ;iconv.internal_encoding = ISO-8859-1
  209. ;iconv.output_encoding = ISO-8859-1
  210.  
  211. [intl]
  212. ;intl.default_locale =
  213.  
  214. [sqlite]
  215. ; http://php.net/sqlite.assoc-case
  216. ;sqlite.assoc_case = 0
  217.  
  218. [sqlite3]
  219. ;sqlite3.extension_dir =
  220.  
  221. [Pcre]
  222. ;PCRE library backtracking limit.
  223. ; http://php.net/pcre.backtrack-limit
  224. ;pcre.backtrack_limit=100000
  225.  
  226. ;PCRE library recursion limit.
  227. ;Please note that if you set this value to a high number you may consume all
  228. ;the available process stack and eventually crash PHP (due to reaching the
  229. ;stack size limit imposed by the Operating System).
  230. ; http://php.net/pcre.recursion-limit
  231. ;pcre.recursion_limit=100000
  232.  
  233. [Pdo]
  234. ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
  235. ; http://php.net/pdo-odbc.connection-pooling
  236. ;pdo_odbc.connection_pooling=strict
  237.  
  238. ;pdo_odbc.db2_instance_name
  239.  
  240. [Pdo_mysql]
  241. ; If mysqlnd is used: Number of cache slots for the internal result set cache
  242. ; http://php.net/pdo_mysql.cache_size
  243. pdo_mysql.cache_size = 2000
  244.  
  245. ; Default socket name for local MySQL connects.  If empty, uses the built-in
  246. ; MySQL defaults.
  247. ; http://php.net/pdo_mysql.default-socket
  248. pdo_mysql.default_socket=
  249.  
  250. [Phar]
  251. ; http://php.net/phar.readonly
  252. ;phar.readonly = On
  253.  
  254. ; http://php.net/phar.require-hash
  255. ;phar.require_hash = On
  256.  
  257. ;phar.cache_list =
  258.  
  259. [Syslog]
  260. ; Whether or not to define the various syslog variables (e.g. $LOG_PID,
  261. ; $LOG_CRON, etc.).  Turning it off is a good idea performance-wise.  In
  262. ; runtime, you can define these variables by calling define_syslog_variables().
  263. ; http://php.net/define-syslog-variables
  264. define_syslog_variables  = Off
  265.  
  266. [mail function]
  267. ; For Win32 only.
  268. ; http://php.net/smtp
  269. SMTP = localhost
  270. ; http://php.net/smtp-port
  271. smtp_port = 25
  272.  
  273. ; For Win32 only.
  274. ; http://php.net/sendmail-from
  275. ;sendmail_from = me@example.com
  276.  
  277. ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
  278. ; http://php.net/sendmail-path
  279. ;sendmail_path =
  280.  
  281. ; Force the addition of the specified parameters to be passed as extra parameters
  282. ; to the sendmail binary. These parameters will always replace the value of
  283. ; the 5th parameter to mail(), even in safe mode.
  284. ;mail.force_extra_parameters =
  285.  
  286. ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
  287. mail.add_x_header = On
  288.  
  289. ; Log all mail() calls including the full path of the script, line #, to address and headers
  290. ;mail.log =
  291.  
  292.  
  293.  
  294.  
  295.  
  296.  
  297.  
  298.  
  299.  
  300.  
  301. /////////////
  302.  
  303.  
  304.  
  305.  
  306. End of php.ini file. The answer to the challenge is supposed to be in it...
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top