maple maple3142

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

ES Modules are terrible, actually

This post was adapted from an earlier Twitter thread.

It's incredible how many collective developer hours have been wasted on pushing through the turd that is ES Modules (often mistakenly called "ES6 Modules"). Causing a big ecosystem divide and massive tooling support issues, for... well, no reason, really. There are no actual advantages to it. At all.

It looks shiny and new and some libraries use it in their documentation without any explanation, so people assume that it's the new thing that must be used. And then I end up having to explain to them why, unlike CommonJS, it doesn't actually work everywhere yet, and may never do so. For example, you can't import ESM modules from a CommonJS file! (Update: I've released a module that works around this issue.)

And then there's Rollup, which apparently requires ESM to be u

	# https://static.chunichi.co.jp/chunichi/pages/feature/QR/galois_field_in_auto_factory.html
	X = GF(2).polynomial_ring().gen()
	poly = X 8 + X 4 + X 3 + X 2 + 1
	F = GF(2 ** 8, name="a", modulus=poly)
	R.<x> = PolynomialRing(F)


	def tobin(x, n):
	x = Integer(x)
	nbits = x.nbits()

	from Crypto.Cipher import AES
	import secrets


	F = GF(2128, name="a", modulus=x128 + x7 + x2 + x + 1)

	def to_poly(x):
	bs = Integer(int.from_bytes(x, "big")).bits()[::-1]
	return F([0] * (128 - len(bs)) + bs)

	#include <stdio.h>
	#include <string.h>

	const char *buf = "hello from linux\n";
	char * const argv[] = {
	"/bin/sh",
	"-c",
	"echo 'hello from execve'",
	NULL,
	};

	# Use a small prime for brevity
	p = 4 * 3 * 5 * 7 - 1
	primes = [3, 5, 7]
	Fp = GF(p)


	def from_weierstrass(EC):
	a, b = EC.a4(), EC.a6()
	F = EC.base_field()
	PR = PolynomialRing(F, name="z")

	#!/bin/sh

	# Copyright 2023 Khalifah K. Shabazz
	#
	# Permission is hereby granted, free of charge, to any person obtaining a
	# copy of this software and associated documentation files (the “Software”),
	# to deal in the Software without restriction, including without limitation
	# the rights to use, copy, modify, merge, publish, distribute, sublicense,
	# and/or sell copies of the Software, and to permit persons to whom the
	# Software is furnished to do so, subject to the following conditions:

	/*
	Copy this into the console of any web page that is interactive and doesn't
	do hard reloads. You will hear your DOM changes as different pitches of
	audio.

	I have found this interesting for debugging, but also fun to hear web pages
	render like UIs do in movies.
	*/

	const audioCtx = new (window.AudioContext \|\| window.webkitAudioContext)()

	Mute these words in your settings here: https://twitter.com/settings/muted_keywords

	ActivityTweet
	generic_activity_highlights
	generic_activity_momentsbreaking
	RankedOrganicTweet
	suggest_activity
	suggest_activity_feed
	suggest_activity_highlights
	suggest_activity_tweet

	# github.com/ndavison

	import requests
	import random
	import string
	from argparse import ArgumentParser


	parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
	parser.add_argument("-u", "--url", help="URL to target (without query string)")