Tags: web php
Rating:
Extracttheflag! - Web
I've got the source code of the PHP page. Here are the interesting parts:
A session is started, and the admin session variable is set to false.
I checked what the extract() function is.
Note that it's insecure to use untrusted data for this function from user input.
In PHP, the extract($_POST) function is used to convert POST request data into corresponding internal variables.
When PHP runs the extract() function on the $_POST array, it creates variables that mirror the array's contents. This can pose a security risk if extract() ends up overwriting pre-existing variables, which, in our scenario, is exactly what happens.
According to this code part, my session's admin variable should be true in order to see the flag.
Sending a POST request with _SESSION['admin'] set as 'true', would cause the session admin variable to be rewritten and the flag would be exposed:
curl 'https://extracttheflag.ctf.cert.unlp.edu.ar' -X POST -d _SESSION['admin']=true
