Web - 120 Points
A full fledged Kiwi software! And a forum at that. It’s also open source. [source link] The admins on this forum are so proud of their product, they have put their flag keys on their avatar photos!
We have the source code of a simple php forum.
When we visit the forum, the user’s avatar don’t load and the admin avatar can’t load because is very big (7200*7800 BMP image!).
Reading the source we can see that the admin avatar is Random-generated and then scaled 200 times.
The admin avatar loading is then slowed down for normal user (except for admin)
This avatar is available in db/ folder, with name 00001.bmp
We need to see the admin’s avatar!
No SQLi, no XSS. But my attention was focused on the loader.php file.
NICE! We can use the
__r parameter for a Path Traversal Attack.
Now we can dowload the admin avatar with
loader.php?__r=app/avatar.php will create our user’s avatar ;)