Username: 
Password: 
Restrict session to IP 
Questions  |  score: 2  |  Solved By 1792 People  |  110871 views  |  since Dec 07, 2010 - 23:57:59

Training: Register Globals (Exploit, PHP, Training)

PHP - Register Globals
This challenge is a relict of old PHP times, where register globals has been enabled by default, which often lead to security issues.
Again, your job is to login as admin, and you are given the sourcecode as well as highlighted version.

Here is the link to the vulnerable script.
I have also setup a test account: test:test

Enjoy!
GeSHi`ed PHP code for globals.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
65
<?php
chdir('../../../../');
define('GWF_PAGE_TITLE', 'Training: Register Globals');
require_once('challenge/html_head.php');
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) {        $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, 'challenge/training/php/globals/index.php');
}
$chall->showHeader();
 
GWF_Debug::setDieOnError(false);GWF_Debug::setMailOnError(false);
 
# EMULATE REGISTER GLOBALS = ON
foreach ($_GET as $k => $v) { $$k = $v; }
  
# Send request?
if (isset($_POST['password']) && isset($_POST['username']) && is_string($_POST['password']) && is_string($_POST['username']) )
{
        $uname = GDO::escape($_POST['username']);        $pass = md5($_POST['password']);
        $query = "SELECT level FROM ".GWF_TABLE_PREFIX."wc_chall_reg_glob WHERE username='$uname' AND password='$pass'";
        $db = gdo_db();
        if (false === ($row = $db->queryFirst($query))) {
                echo GWF_HTML::error('Register Globals', $chall->lang('err_failed'));        } else {
                # Login success
                $login = array($_POST['username'], (int)$row['level']);
        }
} 
if (isset($login))
{
        echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', array(htmlspecialchars($login[0]), htmlspecialchars($login[1]))));
        if (strtolower($login[0]) === 'admin') {                $chall->onChallengeSolved(GWF_Session::getUserID());
        }
}
else 
{?>
<form action="globals.php" method="post">
<table>
<tr>
        <td><?php echo $chall->lang('th_username'); ?>:</td>        <td><input type="text" name="username" value="" /></td>
</tr>
<tr>
        <td><?php echo $chall->lang('th_password'); ?>:</td>
        <td><input type="password" name="password" value="" /></td></tr>
<tr>
        <td></td>
        <td><input type="submit" name="send" value="<?php echo $chall->lang('btn_send'); ?>" /></td>
</tr></table>
</form>
<?php
}
 # EMULATE REGISTER GLOBALS = OFF
foreach ($_GET as $k => $v) { unset($$k); }
 
require_once 'challenge/html_foot.php';
?>
© 2010, 2011, 2012, 2013, 2014, 2015, 2016 and 2017 by Gizmore