1 Posts tagged with php

Abusing PHP Constants, Temporary Uploads, and FastCGI to Bypass Restrictions

Posted on December 13, 2020* in ctf-writeups
asisctf-finals2020 web php rce

Challenge

Can you obtain the more secure secret? Even with all those filters? I don't think so :)

We also have the configuration files from the previous challenge Less Secure Secrets.

When we visit the given link, we see that the page prints out the source code of the current page:

<html><head></head>
<body>
<img width="300px" src="/img.jpg" style="display:block;">

<?php
function no_errors_baby($ab){
    die("I don't like errors and warnings");
}
function no_race($item, $key){}
    
array_walk_recursive($_SERVER, 'no_race');
array_walk_recursive($_GET, 'no_race');
array_walk_recursive($_POST, 'no_race');
array_walk_recursive($_REQUEST, 'no_race');
set_error_handler ( "no_errors_baby" , E_ALL );

if(!isset($_GET["yummy"])){
    highlight_file(__FILE__);
} else {
    sleep(2); //Anti-race
    echo "<!--";
    phpinfo(); 
    echo "-->";
    if(preg_match('/\$|\?|`|\'|"|%|!|[0-9]|@|\(|\)|\^|&|\*|-|\+|=|<|>|\\|{|}|\/|\||true|false|null|secret/i', $_GET["yummy"]) 
        || strlen($_GET["yummy"]) > 5000)
        die("Don't try harder");
    eval($_GET["yummy"]);
}
?>
</body>
</html>
Continue Reading
Switch to Dark Mode
Dark
Switch to Light Mode
Light