SSI stands for server side includes. These are dynamic HTML commands executed by the server and not the browser. As the intro of the mission already pointed us to SSI this mission would be simple now.
The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).
Furthermore when we open the mission we see a story, somewhat like level7, the password being hidden in a file and we being provided with the file directory. All we are left to do is find the file name.
Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/
Yet again, there is another story, Sam’s daughter who has just learnt to program in php and developed a script to show her ability. Let’s have a look at what her script does.
However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.
Script’s description says, ‘Enter your name:’, let me enter mine ‘Abhi’. What it does is it counts the number of letters in the word. The question is how do we get the file name?
Well, we are already provided with the hint that we need to use SSI commands, same like level 7 we have to find a command for directory listing but this time for SSI instead of Unix.
But wait, that alone does not work. Right? Its because when we execute our command we are in a directory ahead i.e ../8/tmp/ (How do you know that? Check the URL of the new file) whereas our password file resides in ../8/. So we will have to use the directory listing command with ../ to make it jump one directory back. So just go ahead do some googling, and you will have the commands.
Spoiler: The directory listing command for SSI is same as UNIX i.e. ‘ls’.
Answer: This is the command that will give out the file name is <!-- #exec cmd="ls ../" --> (double hyphen on either side).
What did we learn?
SSI gives a lot many ways to hack into systems. So if you ever make any script make sure only the commands that you want to run will run. As well with that, directory snooping can also be done while executing commands.
Good luck!!!
- PHP syntactic sugar code example - September 5, 2021
- Python convert random string date format to Datetime - July 12, 2021
- Laravel Custom Exception Handlers - March 28, 2019
Just an FYI for anyone who comes here, you need to replace they hyphen with a dash. In this post, it automatically changed it to one line, so it looks like but you need’
Those are actually two hyphens (aka minus) on either side. Thanks for pointing out.