A disturbing lack of taste. Just another WordPress site

15Jan/140

Hack you 2014 – Web 400 Writeup

This challenge used 2 GET parameters: action and param. Given the source code, action is used as class name and param as its argument to the constructor. Now, listing all php standard classes with:

php -r 'var_dump (get_declared_classes ());'  we can see which one can allow us to read file or maybe execute commands: "GlobIterator" one seems ok. Reading from php.net it iterates trought file system similar to glob() this mean we can use wildcard '*' for our own proupose. So lets try it:

http://hackyou2014tasks.ctf.su:40080/index.php?action=GlobIterator&param=/C*

This will give return us a class GlobIterator("/C*") which the result is echoed at the end.

Output: CTF{42a38432d46b9054004a7a87fd3140c7}

Razor4x

 

 

 

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.