i love cat


0CTF/TCTF 2021 Quals - 1linephp [web]

The three servers are the same, you can choose any one. server will be reset every 10 minutes.


this chall is almost same


($_=@$_GET['yxxx'].'.php') && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__) && include('phpinfo.html');


but some code is different, we need to find new exploit

We can upload arbitrary session file using PHP_SESSION_UPLOAD_PROGRESS and include session file using various wrapper.
But in this chall, we need to bypass .php, so we can imagine 2 ways for bypass.


1. phar wrapper
2. zip wrapper

First i use phar wrapper. but it's impossible!
Then, Maybe we can use second way for exploit.
by accident, i found this writeup and it has very useful information.

zip file is not required for starting with PK signature.
If we define proper offset for the zip file, there is no need to start with zip file signature at start of file.
And we can simply calculate the ZIP offsets by hand!






we need to change two offset in zip.
just change Local Header Offset in Central Directory File Header and Central Header Offset in End of Central Directory Record.

These offsets specify the starting location of the header of the zip file. So we can unzip our payload independent of session prefix.


On server session.upload_progress.cleanup is enable. so we need to using race condition.

then we can get flag!

My exploit :

'web hacking' 카테고리의 다른 글

DiceCTF 2022 web writeup  (0) 2022.02.07
Weird Javascript  (3) 2021.08.29
0CTF/TCTF 2021 Quals - 1linephp [web]  (0) 2021.07.05
DarkCON CTF web Writeup - DarkCON Challs  (0) 2021.02.21
SQL Injection 정리  (0) 2020.11.08
TokyoWesterns CTF 2020 Web Writeup  (0) 2020.09.21