PHPFuck icon indicating copy to clipboard operation
PHPFuck copied to clipboard

Published 20 hours ago verified publisher icon splitline

7 is too many

Open arxenix opened this issue 3 years ago • 6 comments

You can do it in 5 :)

arxenix avatar Jul 31 '21 08:07 arxenix

currently being run as a challenge for UIUCTF'21 if you would like to try http://phpfuck-fixed.chal.uiuc.tf

arxenix avatar Jul 31 '21 08:07 arxenix

Now that the CTF is officially over: a working charset is (^.9)

some teams had solutions that were in fact simpler than this (using same charset), but here is my original approach,

after arbitrary string generation, the rest is based off of @splitline 's ideas

How it works

  • 9^99 -> 106
    • use xor to generate numbers
  • (9).(9) -> '99'
    • use . to concat numbers into strings
  • '09'^'1069'^'99' -> '80'
    • xor 2 strings to get a string
  • '80'^0 -> 80
    • (ab)use type juggling to cast a string to an int
  • Using a combination of the above tricks, you can get all of the digits 0-9
  • Can construct any string /[0-9]+/ by concatenating digits
  • Can obtain any number by casting to int
  • Constructing arbitrary strings requires a bit more work...
    • (99999999999...) -> INF
      • 309 9s gives us INF
    • (INF).(9) -> 'INF9'
      • Can now obtain char values in /[a-zA-Z]/ range!
      • e.g. 'INF9'^'00'^'33'^'99' -> 'st'
    • the only primitive we have for initially obtaining strings is concat, which gives us a length-2 string
    • we can generate /[a-z]{2,}|[A-Z]{2,}/ , but getting single-character strings is not possible
  • 'funcname'(param)
    • call functions by simply calling their string name
    • function names are case-insensitive
  • strtok(0) -> false
    • call strtok on a number to get false
    • === ('st'+'rt'+'OK')(0)
  • (9).false -> '9'
    • concat number with false to get a length-1 string
  • 'rw'^'99'^'9' -> 'r'
    • extract first char of any string with xor
  • Can now build arbitrary strings /[a-zA-Z]/
  • 'CHr'(num)
    • generate other characters (e.g. spaces)
  • Can now build any string at all! /.*/
  • str_getcsv("a,b") -> ["a", "b"]
    • create string arrays by parsing a CSV
  • func(...["a", "b"])
    • use spread operator to pass multiple arguments to a function
  • create_function("", "PAYLOAD")()
    • use create_function to create a function w/ arbitrary PHP code and then call it
  • Final payload looks like: 'create_function'(...str_getcsv(',"$PAYLOAD"'))

arxenix avatar Aug 02 '21 00:08 arxenix

Cool, I only know a 6 charset trick before, nice work!

splitline avatar Aug 02 '21 16:08 splitline

Excuse me, can you share which six characters? I'm interested in it

lexsd6 avatar Sep 03 '21 02:09 lexsd6

@lexsd6 See my above comment for the charset and explanation. you can do it with only 5 characters

arxenix avatar Sep 03 '21 04:09 arxenix

Excuse me, can you share which six characters? I'm interested in it

@lexsd6 You can use ([^.]) to do it. https://github.com/lebr0nli/PHPFun (Ideas and code are inspired and based on PHPFuck and jsfuck :p)

lebr0nli avatar Sep 05 '21 16:09 lebr0nli