KiwiForum 1

Web - 120 Points

A full fledged Kiwi software! And a forum at that. It’s also open source. [source link] The admins on this forum are so proud of their product, they have put their flag keys on their avatar photos!


We have the source code of a simple php forum.
When we visit the forum, the user’s avatar don’t load and the admin avatar can’t load because is very big (7200*7800 BMP image!).
Reading the source we can see that the admin avatar is Random-generated and then scaled 200 times.
The admin avatar loading is then slowed down for normal user (except for admin)
This avatar is available in db/ folder, with name 00001.bmp

We need to see the admin’s avatar!

No SQLi, no XSS. But my attention was focused on the loader.php file.

<?php #loader.php
function do404()
  header("404 Not Found");
  echo "<h1>404 Not Found</h1>";
  echo "<p>The requested URL ".htmlspecialchars($_SERVER['REQUEST_URI'])." not found.";
if ($parts[count($parts)-1]=="")

if ($file and is_file($file))
  if (!$file) do404();
  require_once __DIR__."/lib/download.php";
  $x=new \jf\DownloadManager();
  if (!$file) do404();
  require_once __DIR__."/load.php";
  require $file;

NICE! We can use the __r parameter for a Path Traversal Attack.
Now we can dowload the admin avatar with loader.php?__r=../db/00001.bmp

OT: Loading loader.php?__r=app/avatar.php will create our user’s avatar ;)


Flag: 8e1be4281a54da04