b64
Last updated
Last updated
This Web challenge consists of a simple web application with base64 encoding and decoding functionality.
The encoding and decoding process run in the same endpoint(run.php) changing only 1 parameter in the body request.
When I changed the func parameter value to a random string, the response was Internal Server Error with 500 status code.
At this point I guess based on parameter names that the server creates a Class with the value passed and then calls a function inside that class using the value of func the parameter passing the value of input as parameter. One thing similar to the following code:
Obs: I am a very noob coding PHP, and the code snippet is only guessing how the application was implemented. Thanks to the following question in Stacker overflow:
To confirm my theory I searched for Built-in classes in PHP 8.1.8, and found a DateTime class with getTimestamp() function that returns the timestamp at the moment of execution. I sent this in my request and it worked!!!
At that moment, I was pretty happy because I understood how the application was working without any code and limited acknowledge of the PHP application.
BUT I AM BRAZILIAN, AND BRAZILIANS NEVER GIVE UP!!!!!
Reading about the class mentioned in PHP docs I view a parent class named SplFileInfo. It looked interesting, so I tried that. And for my surprise, that worked! I could bypass the filter and call getFileInfo() function, returning the file name, as you can see in image below.
Searching a little bit I found my final exploit using the openFile() function to read the flag in the remote server.
This challenge was amazing, I really enjoy solved it and it gave me some new trick's knowledge! And a special thanks to @celesian for sharing with me an amazing paper about "Exploiting Arbitrary Object Instantiations in PHP without Custom Classes".
So all that I needed is a class and function that returns me the value of the flag stored at /flag in the server. To do this I tried SplFileObject with __construct(), to instantiate the class passing /flag as a parameter and get its content. Unfortunately, the functionality has a filter and blocked me.
