Rating:
# MeePwnTube
TLDR; It is SSRF and filter bypass. Also
this is a fun challenge where you can listen to many "hot" singer from Vietnam.
# The problem
Source code already provided.
## _ducnt.php
```
$res = mysqli_query($conn,"SELECT * FROM users WHERE username='$username' and password = '$hashpasswd'");
// .. snip..
$_current_avatar = $row['avatar_name'];
// .. snip..
$_parse_current_avatar = _curl($_current_avatar);
$_parse_current_avatar = '<center></center>';
```
## curl.php
```
$data = curl_exec($ch);
// .. snip..
return base64_encode($data);
```
This give you whole source of page.
## flag.php
There is a note here.
```
echo '<center>
Nice try dude but but wrong hole....
## change_avatar.php
```
function rule_change_avatar($data){
$_parse = parse_url($data);
if(!preg_match("/^http$/", $_parse['scheme'])) {
die("<center>
Error: 'HTTP only' dude!!
</center>");if(!preg_match("/meepwntube.0x1337.space$/", $_parse['host'])) {
die("<center>
Error: Our 'space' only dude!!
</center>"); //super miniwaf prevent scanning internal
if(preg_match("/127|192|172|000|0.0|fff|0x0|0x7f|0177|2130706433|\]|\[/", $_parse['host'])) {
die("<center>
Error: Oops script kiddie detected!!
</center>");As you can see, `rule_change_avatar` make sense, but there is a hole in there, `/meepwntube.0x1337.space$/` actually is a failed regex (not properly escaped), which is I can bypass.
### The chain is:
- change_avatar.php: update `avatar url`
- \_ducnt.php : _curl
- source
# PoC
So I quickly register a new domain "meepwntubex0x1337.space", then point an A record to "127.0.0.1".
I only try on main site, not bak.meepwn.. . because it has an other regex check :doge:
Function `rule_change_avatar` also allow custom `port`, then, scanning whole port from 1 to 10000, I got flag at (I should guess it first :D) (not this domain)
http://random.meepwntubex0x1337.space:1337/flag.php
```
1335
1336
1337 Hey dude how can you get here???: BTW here is your flag: MeePwnCTF{******_gr8_again?????}
1338
1339
```
