KiwiForum 1

Web - 120 Points

A full fledged Kiwi software! And a forum at that. It’s also open source. [source link] The admins on this forum are so proud of their product, they have put their flag keys on their avatar photos!

Writeup

We have the source code of a simple php forum.
When we visit the forum, the user’s avatar don’t load and the admin avatar can’t load because is very big (7200*7800 BMP image!).
Reading the source we can see that the admin avatar is Random-generated and then scaled 200 times.
The admin avatar loading is then slowed down for normal user (except for admin)
This avatar is available in db/ folder, with name 00001.bmp

We need to see the admin’s avatar!

No SQLi, no XSS. But my attention was focused on the loader.php file.

<?php #loader.php
function do404()
{
  header("404 Not Found");
  echo "<h1>404 Not Found</h1>";
  echo "<p>The requested URL ".htmlspecialchars($_SERVER['REQUEST_URI'])." not found.";
  exit(0);
}
$request=$_GET['__r'];
unset($_GET['__r']);
$parts=explode("/",$request);
if ($parts[count($parts)-1]=="")
$parts[count($parts)]="index";

$file=realpath(__DIR__."/static/".implode("/",$parts));
if ($file and is_file($file))
{
  if (!$file) do404();
  require_once __DIR__."/lib/download.php";
  $x=new \jf\DownloadManager();
  $x->Feed($file);
}
else
{
  $file=realpath(__DIR__."/app/".implode("/",$parts).".php");
  if (!$file) do404();
  require_once __DIR__."/load.php";
  require $file;
}

NICE! We can use the __r parameter for a Path Traversal Attack.
Now we can dowload the admin avatar with loader.php?__r=../db/00001.bmp

OT: Loading loader.php?__r=app/avatar.php will create our user’s avatar ;)

Kiwiforum

Flag: 8e1be4281a54da04