Skip to content

wupco/rwctf2023-ASTLIBRA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
deployment/ASTLIBRA
deployment/ASTLIBRA
 
 
README.md
README.md
 
 
exploit.py
exploit.py
 
 
protocol_handler.py
protocol_handler.py
 
 

Repository files navigation

rwctf2023-ASTLIBRA

Intended Solution

  1. After the execution of the $url = addslashes($_POST['URL']); and the preg_replace('/(.*)\{url\}(.*)/is', '${1}'.$url.'${2}', $zep_file);, \" will finally convert to \\".
  2. PHP class constructor could be a function with the same name as the class.
  3. Perform SSRF attack on MySQL Server with password using php-curl.

Exploit

  1. Execute python3 protocol_handler.py in a server with public IP.
  2. Modify exploit.py with your IP and Port.
  3. Execute python3 exploit.py.

Other Solutions

Although cblock has been removed by ASTLIBRA/zephir-tunnel/secure.patch, it could still be inserted in the place out of the function scope.

http\");}
__attribute__((constructor)) void exp() {
        ...
        system(xxx);
        ...
};
function tmp(){
    var ch = curl_init();//

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

10 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages