SC 204: Local File Inclusion (35 pts)

What You Need

Making an HTML Form

On your cloud Linux server, execute this command: 
sudo nano /var/www/html/SC204.htm
Paste in this code, as shown below. 
<html>
<body>
<form action="SC204.php">
    Page (buy, sell, help): <input name="page"><p>
    <input type="submit" value="View">
</form>
</body>
</html>
Save the file with Ctrl+X, Y, Enter.

Making a PHP Script

On your cloud Linux server, execute this command: 
sudo nano /var/www/html/SC204.php
Paste in this code, as shown below. 
<?php

$noname = 0;
if (!isset($_REQUEST['page'])) {
	$noname = 1;
} else {
	$page = $_REQUEST['page'];
	if (strlen($page) < 1) {
		$noname = 1;
	}
}
	
if ($noname == 1) {
	die("<h2>Error: Must specify page!!</h2>");
}
include($page);

?>

Save the file with Ctrl+X, Y, Enter.

Loading Pages

On your cloud Linux server, execute these commands, as shown below. 
echo "BUY LOW" | sudo tee /var/www/html/buy
echo "SELL HIGH" | sudo tee /var/www/html/sell
echo "NEVER ASK" | sudo tee /var/www/html/help

Testing your Form

In a Web browser, open this URL, replacing the IP address with the external IP of your server:
http://35.222.29.122/SC204.htm
Enter a Page of buy into the form, as shown below, and click the View button.

The next page shows the BUY message, as shown below.

In a Web browser, open this page:
https://samlols.samsclass.info/SC/SC204.htm
Enter the URL to your PHP page in the form for flag SC 204.1, as shown below, and click the Submit button.

Flag SC 204.1: Database Functionality (5 pts)

The flag appears, as shown below.

Observing the File Inclusion Vulnerability

In a Web browser, open this URL, replacing the IP address with the external IP of your server:
http://35.222.29.122/SC204.htm
Enter this page into the form:
../../../etc/passwd
as shown below, and click the View button.

The next page shows the passwd file, as shown below.

This demonstrates a file inclusion vulnerability--the user's input can reference files that were not intended to be displayed.

Fix 1: Removing Characters

Modify your script to remove this three-character sequence from the page:
../
I recommend using the str_replace function. Test your script on your own HTML form.

When it's working, run the test in the box below to get the flag.

Flag SC 204.2: Removing Bad Characters (10 pts)

In a Web browser, open this page:

https://samlols.samsclass.info/SC/SC204.htm
Enter the URL to your PHP page in the form for flag SC 204.2 and submit the form. If your code is correct, the flag will appear.

Observing the Remaining File Inclusion Vulnerability

In a Web browser, open this URL, replacing the IP address with the external IP of your server:
http://35.222.29.122/SC204.htm
Enter this page into the form:
/etc/passwd
The next page shows the passwd file, because removing "../" doesn't stop this attack.

Fix 2: Real Path

Modify your script to use the realpath function and reject all input that is not in the /var/www/html directory.

When it's working, run the test in the box below to get the flag.

Flag SC 204.3: Real Path (20 pts)

In a Web browser, open this page:

https://samlols.samsclass.info/SC/SC204.htm
Enter the URL to your PHP page in the form for flag SC 204.3 and submit the form. If your code is correct, the flag will appear.

Posted 3-29-24