Instantly share code, notes, and snippets.

Embed
What would you like to do?
source code from DEF CON Quals 2018 - Easy Pisy challenge
<?php
include 'common.php';
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
print highlight_string(file_get_contents("execute.php"), TRUE);
exit(0);
}
$keys = get_keys();
$privkey = $keys[0];
$pubkey = $keys[1];
$file_info = $_FILES['userfile'];
check_uploaded_file($file_info);
$data = file_get_contents($file_info['tmp_name']);
$signature = hex2bin($_POST['signature']);
if (openssl_verify($data, $signature, $pubkey)) {
print 'Signature is OK.<br/>';
} else {
die('Bad signature.');
}
$text = pdf_to_text($file_info['tmp_name']);
print "Text: \"$text\"<br/>";
$execute_query = "EXECUTE ";
$echo_query = "ECHO ";
if (substr($text, 0, strlen($execute_query)) === $execute_query) {
$payload = substr($text, strlen($execute_query));
print "About to execute: \"$payload\".<br/>";
$out = shell_exec($payload);
print "Output: $out";
} else if (substr($text, 0, strlen($echo_query)) === $echo_query) {
$payload = substr($text, strlen($echo_query));
print "About to echo: \"$payload\".<br/>";
echo $payload;
} else {
print "I can't recognize the command type. Go away.<br/>";
}
?>
<?php
include 'common.php';
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
print highlight_string(file_get_contents("sign.php"), TRUE);
exit(0);
}
$keys = get_keys();
$privkey = $keys[0];
$pubkey = $keys[1];
if ($privkey === FALSE || $pubkey === FALSE) {
die("Could not load keys. Contact admin.<br/>");
}
$file_info = $_FILES['userfile'];
check_uploaded_file($file_info);
$text = pdf_to_text($file_info['tmp_name']);
print "Extracted text: \"$text\"<br/>";
$execute_query = "EXECUTE ";
$echo_query = "ECHO ";
if (substr($text, 0, strlen($execute_query)) === $execute_query) {
print "I don't sign EXECUTE commands. Go away.<br/>";
} else if (substr($text, 0, strlen($echo_query)) === $echo_query) {
print "I'm OK with ECHO commands. Here is the signature: <br/>";
$data = file_get_contents($file_info['tmp_name']);
openssl_sign($data, $signature, $privkey);
print bin2hex($signature);
} else {
print "I can't recognize the command type. Go away.<br/>";
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment