Tags: web php 


Extracttheflag! - Web
I've got the source code of the PHP page. Here are the interesting parts:

A session is started, and the admin session variable is set to false.

I checked what the extract() function is.

Note that it's insecure to use untrusted data for this function from user input.

In PHP, the extract($_POST) function is used to convert POST request data into corresponding internal variables.

When PHP runs the extract() function on the $_POST array, it creates variables that mirror the array's contents. This can pose a security risk if extract() ends up overwriting pre-existing variables, which, in our scenario, is exactly what happens.

According to this code part, my session's admin variable should be true in order to see the flag.

Sending a POST request with _SESSION['admin'] set as 'true', would cause the session admin variable to be rewritten and the flag would be exposed:

curl 'https://extracttheflag.ctf.cert.unlp.edu.ar' -X POST -d _SESSION['admin']=true

Original writeup (https://www.thesecuritywind.com/post/metared-ctf-argentina#viewer-ebtkc).