Posts

RCE with eval() + math functions in PHP

Image
I solved this web challenge during the BambooFox CTF 2021 as part of the CTF Team Mayas . The name of the challenge was calc.exe and we were given a URL: http://chall.ctf.bamboofox.tw:13377 Upon accessing the URL, a simple input was shown. If we checked the source of the web page, we could see a link redirecting to http://chall.ctf.bamboofox.tw:13377/?source , which showed the source code of the application: <?php error_reporting ( 0 ) ; isset ( $_GET [ 'source' ] ) && die ( highlight_file ( __FILE__ ) ) ; function is_safe ( $query ) { $query = strtolower ( $query ) ; preg_match_all ( "/([a-z_]+)/" , $query , $words ) ; $words = $words [ 0 ] ; $good = [ 'abs' , 'acos' , 'acosh' , 'asin' , 'asinh' , 'atan2' , 'atan' , 'atanh' , 'base_convert' , 'bindec' , 'ceil' , 'cos' , 'cosh' , &
Read more

Abusing .htaccess + CGI to get RCE in application to upload files

Image
Welcome file NOTE: This is a translated version from my original post published in Mayas CTF Team blog (A Mexican CTF team which I’m member of) You can find the original post (in Spanish) here This Web challenge was solved during De1CTF from De1ta Club team. The challenge provided an URL and a small hint/information: the server was restarted every 5 min. The challenge page showed a simple form to upload files. The source code seemed pretty simple, with nothing out of the ordinary or vulnerable. <!DOCTYPE html> < html lang = " en " > < head > < meta charset = " UTF-8 " > < title > Cheek in </ title > < meta name = " viewport " content = " width=device-width, initial-scale=1 " > < link rel = " stylesheet " type = " text/css " href = " style/css/style1.css " > < link rel = " stylesheet " type = &
Read more