Once we saw that it solves the math, we wondered how it did this. The easiest way for the server to do it would be to just call eval() on whatever is between the html tags. So we added something after the math in the spam protection field.
1+1+1;echo 'bob';When we entered the URL of our hosted page, the Spambot executed our code and printed the result of 1+1+1 to the screen as well as the word bob. At this point, we know that we have arbitrary php code execution on the server, so we start doing directory listings. And eventually find an interesting file in the root directory. If you put the following line into the spam protection input field of your page and tell the Spambot to load the program, you win!
Spam protection: 1+1+1;$handle = opendir('/');while (false !== ($entry = readdir($handle))) {echo "$entry";echo shell_exec('cat /6f170bcecda1ca8d3a5435591202988881b34bad');}
-- suntzu_II
No comments:
Post a Comment