<-- home

AceBear 2018 / Url Parameter

Hello guys, just wake up after 48h of fighting, i will try to make write up for all web task as its all cleaned Here :D

So lets start with this easy task (at least look easy for me :p)

First look at robots.txt give us some hint :

give us :

# you know de wae ma queen
User-Agent: *
Disallow: /?debug

then check will show us simple php code , we need to send something like where system is the $key and id is the $val

$blacklist = "assert|system|passthru|exec|assert|read|open|eval|`|_|file|dir|\.\.|\/\/|curl|ftp|glob";

if(count($_GET) > 0){
	if(preg_match("/$blacklist/i",$_SERVER["REQUEST_URI"])) die("No no no hackers!!");
	list($key, $val) = each($_GET);

almost here all function that can be used filtred (open & read & _ ) will filter also many other function

so here make me stuck !

but my friend mention something that maked this almost done ‘encode’ As here the filter work on $_SERVER["REQUEST_URI"] and then in final step we have $_GET so if we encode our data it end decoded in each($_GET); but not in $_SERVER["REQUEST_URI"]

So the plan is clear here, encode our data to bypass filter and call any function :D


lets try it now :


Then final step read flag file :D



Thanks guys , will try to make write up (BearShare & BearShare 2 & Tet shopping) ;)