I write to better educate myself as I go through CTFs and Bug Bounties. If anything I have written is incorrect, please let me know and send me a link to an article to read to better educate myself.
Location
Seattle
Education
Information Technology BA and Software Engineering Bootcamp Grad
I am not sure what script you are trying to add to the comments so I can’t say for sure why it’s not working.
I can say that PHP is a server side language so it gets run on the server and we see the results, not the PHP code. That’s why “include()” is in plain text in the source code on the main page when you look at it in your browser or in a proxy like Zap or Burp.
The payload doesn’t get executed in the URL because this CTF flag is about using the server to run the PHP in the submitted comments and echo back the results (source code for the page we want that has a flag) and use of the include() to render the page because of the file inclusion bug that uses the URL parameters.
So when you first try to go to the page “?page=index.php” there are warnings presented as Warning: include(index.php.php) and Fatal error: Allowed memory size of 134217728 bytes exhausted . This means that then a URL is submitted and that there is some other script on the server that is filtering the URL and adding a .php to it. Thus using any version of ?page=something_here in the URL won’t work because the include() in the “index.php” page is, as dtnguyen22 said, either creating an infinite loop trying to include the index file that is trying to include itself or the page just doesn’t exist.
Passing a url to index on localhost doesn’t prevent looping but is important for the PHP File Inclusion Bug.
Though the URL won’t work as an initial attack point, when you submit a comment of something like <?php echo readfile("index.php")?> and approve it on the ?page=admin.inc page, the main home/index page now has that as part of its source code.
And you can now take advantage of the File Inclusion Bug and go to ?page=http://localhost/index and this is where you can view the source code and view the php of the index page that has the flag.
This works because of the file path that the server is trying to access. Similar to accessing a local file on your local browser or in the file directory the server wants to include the page it is told to but when it makes a request to http://localhost/index the server processes this as its own index page (because of the bug), adds the .php, and renders the requested page’s source in the page source code though the PHP echo readfile() command.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I am not sure what script you are trying to add to the comments so I can’t say for sure why it’s not working.
The payload doesn’t get executed in the URL because this CTF flag is about using the server to run the PHP in the submitted comments and
echoback the results (source code for the page we want that has a flag) and use of theinclude()to render the page because of the file inclusion bug that uses the URL parameters.Warning: include(index.php.php)andFatal error: Allowed memory size of 134217728 bytes exhausted. This means that then a URL is submitted and that there is some other script on the server that is filtering the URL and adding a.phpto it. Thus using any version of?page=something_herein the URL won’t work because theinclude()in the “index.php” page is, as dtnguyen22 said, either creating an infinite loop trying to include the index file that is trying to include itself or the page just doesn’t exist.Passing a url to index on localhost doesn’t prevent looping but is important for the PHP File Inclusion Bug.
<?php echo readfile("index.php")?>and approve it on the?page=admin.incpage, the main home/index page now has that as part of its source code. And you can now take advantage of the File Inclusion Bug and go to?page=http://localhost/indexand this is where you can view the source code and view the php of the index page that has the flag.This works because of the file path that the server is trying to access. Similar to accessing a local file on your local browser or in the file directory the server wants to include the page it is told to but when it makes a request to
http://localhost/indexthe server processes this as its own index page (because of the bug), adds the.php, and renders the requested page’s source in the page source code though the PHPecho readfile()command.