InfoSec Write-ups
Published in

InfoSec Write-ups

CTF writeup: PHP object injection in kaspersky CTF

This is the walkthrough for the PHP object injection challenge from Kaspersky Industrial CTF organized by Kaspersky Lab.

In this challenge there was a form which performs arithmetic operation as per user supplied input.

Lets perform the normal use case first. I entered 2 and 3 in first, second text-boxes respectively.

as we can see, we got result of our expression 2 + 3 = 5.

Plain and simple, but one thing which got my attention was the “Token”. Lets try to click on the “Share it” button.

Which issued a GET request with the “token” parameter. Lets look at the response.

It has the same expression which we previously calculated 2 + 3 = 5.

After decoding the token as base64 i Got a serialized PHP object.

As we can see we have one SUM function and arguments(array) are 2 and 3. Now there is lot of content for PHP object injection on the web. I went through almost all of it. Though you can look at it.

Now i did a lot of trial and error, not posting all of it over here for the sake of this article’s length.

Let’s have a look at our serialized object

O:10:”Expression”:3:{s:14:”Expressionop”;s:3:”sum”;s:18:”Expressionparams”;a:2:{i:0;d:2;i:1;d:3;}s:9:”stringify”;s:5:”2 + 3";}

You can play with this serialized object and see how it behaves.

I suspected that “sum” is a user defined function and “Expressionparams” is array which has first value as 2 and second value as 3.

You can call any PHP function in place of sum function.

I changed sum function to system() which is a PHP function that executes the given command and outputs the result.

O:10:”Expression”:3:{s:14:”Expressionop”;s:6:”system”;s:18:”Expressionparams”;a:2:{i:0;d:2;i:1;d:3;}s:9:”stringify”;s:5:”2 + 3";}

Keep in mind that we need to update length of string from 3 to 6. because length of our function name is 6(system).

s:3:”sum”

s:6:”system”

And than encode it again with BASE64

Lets send the request with new payload.

Cool!! We were right we can pass any PHP function in this serialized object, the only thing that remains is give parameters in right format. sum had array as arguments, we need string as an argument for our system function.

I replaced a:2:{i:0;d:2;i:1;d:3;} (array)

with

s:2:”ls” (string)

Lets try to run LS command.

BINGO!!

Last task ahead of us is to find the flag, which was not too difficult.

Lets open fl4g_h4r3 file.

And finally we got the flag. Thanks for reading.

#SharingIsCaring

Let’s connect on twitter

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium.

Recommended from Medium

FP 360 Week 1

[Leetcode ] 739: Daily Temperatures

Inside PixiJS: Display objects and their hierarchy

🤔 Understanding The Why Behind Your Work

A Most Useful Feature in PySpark — UDF

CloudFormation Private Resource Provider for GitHub Webhooks

What is Port Forwarding and how to do it

Cryptocurrency Development in Python Using Blockchain Lists (Part 1)

Image by WorldSpectrum from Pixabay

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jaimin Gohel

Jaimin Gohel

Infosec Professional | Speaker | Dreamer | Scribbler

More from Medium

Yogosha Christmas 2021 CTF

Go Language pkg installation issue solved.

SQL injection UNION attack, finding a column containing text (walkthrough)

OSINT Tips for Penetration Testing