phpBB Academy at StarTrekGuide

[Erik Frèrejean]

Spoiler:

So I haven't been able to get an POC that actually works, PHP won't stop whining

Code: Select all

Fatal error: Function name must be a string in ./tm.php on line 32

The idea was to encode the function call that needs to be injected by converting each character to its hex value and than xor it agains 0xFF, which than is big enough to be shifted away by the regex. The idea was that if the url contains an other xor with a bunch of %FF that PHP translate it back to the original string when injected and execute it. The error indicates that it appears to do something, but I can't get it actually to exploit.

Spoiler:

Yes! You are almost there. However, the %FF is unnecessary (though interesting, I'll have to look at that). Let me know if you want another hint.

Spoiler:

Well probably unnecessary, though that was the only way we could think of fooling the regex by bringing the token string outside the \w range. If you have an other hint thats welcome , I don't think I get further on this than I am. This is kinda outside my field of expertise :p

[Techie-Micheal]

Hint 1:

Spoiler:

Code: Select all

$param = @$_GET['p'];
$mode = preg_replace('/[^\w]/', '', $param);

We see it is getting the p parameter, saving it to $param. Then we see a preg_replace call looking for \w. But the catch here it is only looking for the first character

Hint 2:

Spoiler:

What does create_function do?

Hint 3:

Spoiler:

What is unique about lambda functions?

Hint 4:

Spoiler:

What happens if you inject '*' in the p parameter?

Hint 5:

Spoiler:

What happens if you try a few other things?

Hint 6:

Spoiler:

At this point, you should have enough information to search Google. I recommend seclists.org.

Hint 7 **This gives the answer**:

Spoiler:

?p=a';}phpinfo();/*