Project Sekai - ✅-web-filter-madness

Filter Madness - 500 points

Category: Web Description: Yet another PHP filter challenge. Filter processing in PHP can sometimes be strange. https://filter-madness-tlejfksioa-ul.a.run.app Files:

https://wolvctf.io/files/41aa44cbd7b205b08ad0c5cb87dd76e6/filter-madness-source.zip?token=eyJ1c2VyX2lkIjoyNjgsInRlYW1faWQiOjE3MCwiZmlsZV9pZCI6MTZ9.ZBTG5g.-XQOO9LhJ1Rhh_Z1onXj_Pg66FQ

Tags: SamXML#6151

Sutx pinned a message to this channel. 03/17/2023 1:00 PM

@irogir wants to collaborate

@zwx风信 wants to collaborate

Close

gl

@Violin wants to collaborate

@strellic wants to collaborate

i dont know php

hm

21:19

this would be really easy if not for the 100 length thing

21:19

L

zwx风信

Close

what progress did u make

22:00

im not good at php web

quit w

00:35

my guess is that you need to do something with phpinfo

00:35

and goal is definitely lfi not rce

00:36

it's definitely not the php char include thing since you only have like 50 chars (edited)

00:36

php moment

php moment

@rubiya wants to collaborate

It looks similar to https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d, but it seems impossible to create a 20 byte string with a 100 byte limit using this method

@hfz wants to collaborate

wait for hint ig

@jayden wants to collaborate

09:44

Try submitting: apple|frog

09:44

hint

This source in php_fopen_wrapper.c is relevant:

    } else if (!strncasecmp(path, "filter/", 7)) {
        /* Save time/memory when chain isn't specified */
        if (strchr(mode, 'r') || strchr(mode, '+')) {
            mode_rw |= PHP_STREAM_FILTER_READ;
        }
        if (strchr(mode, 'w') || strchr(mode, '+') || strchr(mode, 'a')) {
            mode_rw |= PHP_STREAM_FILTER_WRITE;
        }
        pathdup = estrndup(path + 6, strlen(path + 6));
        p = strstr(pathdup, "/resource=");
        if (!p) {
            zend_throw_error(NULL, "No URL resource specified");
            efree(pathdup);
            return NULL;
        }

        if (!(stream = php_stream_open_wrapper(p + 10, mode, options, opened_path))) {
            efree(pathdup);
            return NULL;
        }

        *p = '\0';

        p = php_strtok_r(pathdup + 1, "/", &token);
        while (p) {
            if (!strncasecmp(p, "read=", 5)) {
                php_stream_apply_filter_list(stream, p + 5, 1, 0);
            } else if (!strncasecmp(p, "write=", 6)) {
                php_stream_apply_filter_list(stream, p + 6, 0, 1);
            } else {
                php_stream_apply_filter_list(stream, p, mode_rw & PHP_STREAM_FILTER_READ, mode_rw & PHP_STREAM_FILTER_WRITE);
            }
            p = php_strtok_r(NULL, "/", &token);
        }

...

static void php_stream_apply_filter_list(php_stream *stream, char *filterlist, int read_chain, int write_chain) /* {{{ */
{
    char *p, *token = NULL;
    php_stream_filter *temp_filter;

    p = php_strtok_r(filterlist, "|", &token);
    while (p) {
        php_url_decode(p, strlen(p));
        if (read_chain) {
            if ((temp_filter = php_stream_filter_create(p, NULL, php_stream_is_persistent(stream)))) {
                php_stream_filter_append(&stream->readfilters, temp_filter);
            } else {
                php_error_docref(NULL, E_WARNING, "Unable to create filter (%s)", p);
            }
        }

(edited)

11:12

hint 2

only thing I see so far is that we can url encode filter names

putting this here to analyze on my phone msfrog

<?php
$result = 'no madness submitted yet';
$madness = isset($_GET['madness']) ? $_GET['madness'] : '';
if (strstr($madness, '/')) {
    die('Sorry, no slashes allowed');
}
$file = "php://filter/$madness/resource=/etc/passwd";
if (strlen($file) > 100) {
    die('Sorry, your madness is too long');
}
$result = file_get_contents($file);
if ($result === 'zombies for the flag') {
    $result = file_get_contents('/flag.txt');
}
?>
<div>Can you submit some madness that will return the flag?</div>
<br/>
<div>Your filter madness: <?php echo $file ?></div>
<div>Your filter madness length: <?php echo strlen($file) ?></div>
<div>Your filter madness results: <?php echo $result ?></div>
<br/>
<form method='GET'>
    <input name='madness'></input>
    <button>Submit</button>
</form>
<br/>
<div>Here's some <a href='/info.php'>info</a>.</div>

To summarize, so far we know:

the solve will have a pipe symbol in it
there is something about the cited code that can be exploited given the chal constraints

14:14

so yeah the 2 hints

someone solved with these hints so ig its indeed related with that source code

this chall makes me real sad

19:26

the only thing i figured out is u can use data uri but its not really helpful at all

19:26

19:26

this looks funny tho

19:27

no flag since my results is zombies for the flag</resource=/etc/passwd

whats ur payload?

resource=data:,zombies for the flag<

o ok

i have not figured out any bugs with pipes

19:29

xd

19:30

i can't read C

cant read php

think i found something

sahuang

This source in php_fopen_wrapper.c is relevant:

    } else if (!strncasecmp(path, "filter/", 7)) {
        /* Save time/memory when chain isn't specified */
        if (strchr(mode, 'r') || strchr(mode, '+')) {
            mode_rw |= PHP_STREAM_FILTER_READ;
        }
        if (strchr(mode, 'w') || strchr(mode, '+') || strchr(mode, 'a')) {
            mode_rw |= PHP_STREAM_FILTER_WRITE;
        }
        pathdup = estrndup(path + 6, strlen(path + 6));
        p = strstr(pathdup, "/resource=");
        if (!p) {
            zend_throw_error(NULL, "No URL resource specified");
            efree(pathdup);
            return NULL;
        }

        if (!(stream = php_stream_open_wrapper(p + 10, mode, options, opened_path))) {
            efree(pathdup);
            return NULL;
        }

        *p = '\0';

        p = php_strtok_r(pathdup + 1, "/", &token);
        while (p) {
            if (!strncasecmp(p, "read=", 5)) {
                php_stream_apply_filter_list(stream, p + 5, 1, 0);
            } else if (!strncasecmp(p, "write=", 6)) {
                php_stream_apply_filter_list(stream, p + 6, 0, 1);
            } else {
                php_stream_apply_filter_list(stream, p, mode_rw & PHP_STREAM_FILTER_READ, mode_rw & PHP_STREAM_FILTER_WRITE);
            }
            p = php_strtok_r(NULL, "/", &token);
        }

...

static void php_stream_apply_filter_list(php_stream *stream, char *filterlist, int read_chain, int write_chain) /* {{{ */
{
    char *p, *token = NULL;
    php_stream_filter *temp_filter;

    p = php_strtok_r(filterlist, "|", &token);
    while (p) {
        php_url_decode(p, strlen(p));
        if (read_chain) {
            if ((temp_filter = php_stream_filter_create(p, NULL, php_stream_is_persistent(stream)))) {
                php_stream_filter_append(&stream->readfilters, temp_filter);
            } else {
                php_error_docref(NULL, E_WARNING, "Unable to create filter (%s)", p);
            }
        }

(edited)

are we meant to find unintended/unusual behaviour from this c code?

yeah

19:40

i think i found it

19:40

but i still need to figure out how to expl

what is it?

resource=data:,aaaa|string.toupper