Post

Websec - Level 14 (풀이 봄)

Websec 14



image


1
2
3
4
5
6
7
8
9
10
<?php 
ini_set('display_errors', 'on');
ini_set('error_reporting', E_ALL ^ E_DEPRECATED);

if (isset ($_POST['code']) && is_string ($_POST['code'])) {
    $code = substr ($_POST['code'], 0, 25);
} else {
    $code = "print('I hate PHP');";
}
?>


<!-- If I had to guess, I would say that the $flag is in sha1($flag). -->


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php

$funcs_internal = get_defined_functions()['internal'];

/* lets allow some secure funcs here */
unset ($funcs_internal[array_search('strlen', $funcs_internal)]);
unset ($funcs_internal[array_search('print', $funcs_internal)]);
unset ($funcs_internal[array_search('strcmp', $funcs_internal)]);
unset ($funcs_internal[array_search('strncmp', $funcs_internal)]);

$funcs_extra = array ('eval', 'include', 'require', 'function');
$funny_chars = array ('\.', '\+', '-', '\*', '"', '`', '\[', '\]');
$variables = array ('_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_FILES', '_ENV', 'HTTP_ENV_VARS', '_SESSION', 'GLOBALS');

$blacklist = array_merge($funcs_internal, $funcs_extra, $funny_chars, $variables);

$insecure = false;
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        $insecure = true;
        break;
    }
}

if ($insecure) {
    echo 'Insecure code detected!';
} else {
    eval ($code);
}

?>






Solution



finfo를 이용해서 풀 수 있다.
echo new finfo(0,'/');


Flag
WEBSEC{that_must_have_been_some_nifty_php_trick_you_had_there}


finfo 말고 NOT 연산을 이용한 풀이도 있다.
jeonyoungsin.tistory.com/982






This post is licensed under CC BY 4.0 by the author.