Answer was ENT_QUOTES since it wasn’t specified in htmlentities() function. Without this parameter the function won’t escape single quotes (') leading so to a XSS under some circumstances.


Web200 (solved by nurfed)

In this challenge they used a known open-source CMS called CMSmini where its sources can be found easily through google. The vulnerability was the unsafe redirect used which should deny to access admin/ without proper authentication. Can be bypassed just to request the page with wget/curl,etc.. By the way the flag can be obtained using this GET request:

Which leads to the flag:



In this challenge the images provided are created by a tt.php page which takes 2 arguments, ‘w’ and ‘src’. But if you submit it without any of them you’ll see an interesting output:

TimThumb version : 1.33

Googling some vulnerabilities about this type of application I found this:


Which lead us to basically upload an image on the server from a “trusted source” like flickr, wordpress and photobucket. Now it’s pretty easy to upload a shell hidden in an image in photobucket since it won’t remove our payload (like wordpress do). Our supplied image will be placed in cache/external_md5(url_of_image) on the  server. But how to execute our code? On the site there was a LFI which allows us to do this:

575b3f3f5318b2afbfe91ed860a4b10c.txt <– flag file

flag: johnnybravo