Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The CentOS Admin Panel (CWP) is a popular software for web hosting management software. This software is used by over 200K severs, making it a good target for attackers. The authors of this post decided to only look for unauthenticated endpoints.

When looking at the unauthenticated pages, they noticed a couple of interesting pages. In particular, index.php had an interesting file inclusion protection. This protection

If the parameter script contains "..", then the application would not parse it. This was done via the call stristr for the literal text "..". stristr tries to find a substring within a string but without dealing with case.

The author had a few interesting ideas to try! The first one was trying to find characters that would be interpreted as dots in the unicode dataset when normalizing. However, this was a dead end.

The second idea was abusing the case-sensitivity from normal to upper/lower case when the comparison was being done. The authors fuzzed this by passing in weird Unicode characters to see if something would be converted to a period (".") when lowercased. Although this was a cool idea, nothing panned out.

Since the LITERAL text ".." was being searched for, can we achieve the directory traversal without this exact string? Between the two periods, the authors noticed that the functions 'require' and 'include' in PHP remove nullbytes in the path when finding the script! As a result, .%00. would bypass the validation but since the '%00' was removed, the path would resolve properly.

Now that the require can call arbitrary scripts, we can call scripts outside of the expected directory. It can even include parameters on the requests for PHP files. In order to exploit this bug, the authors created an API key via a PHP script. To finish it off, they found an authenticated file write, where they could add PHP to the file. Using the vulnerability mentioned above, this could be called, resulting in code execution.

The difference between validation and usage will always be an issue in the world of security. In the case of denylists, the bypasses become even more impactful. Good bug discovery and attack surface analysis.