In this challenge we're presented with a webpage that gives some info. Here's the hint from the main site ``` Spam! The goal is just to send an email to any unexpected recipient, not to become admin. You'll get the flag if a correct attack payload is detected, no bot will visit the page and you'll not get emails if your attack works. ``` The source of the site gives us the actual source code ```php `<?php             $host = 'mobile-downloads.hax.w3challs.com'; $subject = ''; $message = ''; $from = '';             if (isset($_SERVER['HTTP_HOST'])) $host = htmlentities($_SERVER['HTTP_HOST'], ENT_QUOTES, 'UTF-8'); $to = 'admin@'.$host;             if (isset($_POST) &&                 !empty($_POST['mail_from']) &&                 !empty($_POST['mail_subject']) &&                 !empty($_POST['mail_content']) && is_string($_POST['mail_from']) && is_string($_POST['mail_subject']) && is_string($_POST['mail_content']))             { $subject = $_POST['mail_subject']; $message = $_POST['mail_content']; $from = $_POST['mail_from']; define('message_prefix', 'Mail sent from %s:'."\n".str_repeat('-', 64)."\n"); $msg = sprintf(message_prefix, $host) . $message; $headers = 'From: '.$from."\r\n". 'Reply-To: '.$from."\r\n". 'X-Mailer: PHP/'.phpversion();                 if (mail($to, $subject, $msg, $headers) === TRUE)                 { printf('<div class="success">The message was sent</div><br />'); $subject = ''; $message = ''; $from = '';                 }                 else printf('<div class="error">The message cannot be sent</div><br />');             } $subject = htmlentities($subject, ENT_QUOTES, 'UTF-8'); $message = htmlentities($message, ENT_QUOTES, 'UTF-8'); $from = htmlentities($from, ENT_QUOTES, 'UTF-8'); ?>` ``` There are three areas we want to focus in on: ```php $from = $_POST['mail_from']; $headers = 'From: '.$from."\r\n". 'Reply-To: '.$from."\r\n". 'X-Mailer: PHP/'.phpversion(); if (mail($to, $subject, $msg, $headers) === TRUE) ``` We can see that we control the `$from` variable and it's not being sanitized before being passed to the `$headers` variable and then passed to the vulnerable mail function. By injecting a `%0ATo:admin@mo...` at the end of the `mail_from` parameter, we get the flag. Payload: ``` mail_from=memes%40memes.memes%0ATo:[email protected]&mail_subject=Viagra&mail_content=Viagra` ``` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #php #injection Related: