Description
Flag is hidden somewhere in the directory.
Difficulty: Hard
Challenge Link: https://cybertalents.com/challenges/web/string-highlighter
Solution
Exploring
From the name of the challenge we can assume it maybe contains a command injection. Once you open it your will find the following web page that highlight any string that give to it:
So, it maybe not sanitized well. I tried XSS and it worked I have triggered an alert.
but XSS is not here useful here. we need to search for some server side vulnerability. I noticed that the website is using php, so I entered a php code but it filtered any some php functions and give me this message:
I tried different forms of PHP commands and functions but it didn’t works. I decided to open burp and I noticed an added parameter to it red which identify the color of the highlighted text.
I removed and entered a simple php echo and it worked!
Exploitation
But the problem still exists I can’t execute any functions like:
1
2
3
4
5
6
shell_exec();
system();
escapeshellarg();
escapeshellcmd();
exec();
passthru();
I tried to search more about how to bypass disabled functions in PHP. and I found this awesome resource which was exactly what I needed.
it seems that you can execute shell commands in php without functions only by using backticks ``. Let’s try it.
Voila! it worked and here is the flag.
