[ECW] - Madara · JustinType

Table of Contents

ECW 2023 - This article is part of a series.

Part 1: [ECW] - RandomKey

Part 2: [ECW] - BMPaaS

Part 3: This Article

Part 4: [ECW] - DumpCyber

Part 5: [ECW] - Babel

Part 6: [ECW] - Watermelons

Statement #

Source Code Analysis #

When we visit the instance, here’s what we get:

After a quick read of the code, it appears that we need to send a request to the server.

To get the flag, the value of the variable unserialize(@$__)['o']['k'] must be equal to 'imBored', and the value of the variable @__ must be equal to 'Madara'.

Testing the 1st condition #

So, I send the following request to the server to check that I understand the code correctly:

http://instances.challenge-ecw.fr:36111/?__=Madara

Okay, great! I’m entering the if(@$__==='Madara') condition.

Testing the 2nd condition #

But for the second variable, it gets complicated because if we send more than 4 characters of _ (underscore) or a single . (dot), the server will send us the message “You have used too much _” :

This corresponds to the code:

$query=$_SERVER["QUERY_STRING"];
parse_str($query);
if ((substr_count($query,'_')>=4)||(substr_count($query,'.')>0)){
    die('You have used too much _');
}

Therefore, we cannot send a request like:

http://instances.challenge-ecw.fr:36111/?__=Madara&___=value

As we pass these parameters in a URL, it is likely possible to encode them. I will then search for how to encode the special character _ (underscore), and I find:

I could replace all _ (underscore) characters with %5F

Construction of the Final Request #

All that’s left is to create a serialized variable equal to imBored in the array ['o']['k']. Simply use the serialize() function of PHP. I will also check that we can find this variable with the unserialize() function that will be used by the server:

<?php
$array["o"]["k"] = "imBored";
$test = serialize($array);
print($test);
print("\n");
print(unserialize($test)['o']['k']);
?>

Output:
a:1:{s:1:"o";a:1:{s:1:"k";s:7:"imBored";}}
imBored