There is a lot of code in this one so lets focus in on the some of the more important parts:
Line 23 tells us we need to set $_SESSION[“admin”] == 1. for the win. We don’t have direct control over the $_SESSION array, but the following code offers an entry point:
The focus is on lines 59 – 63. 59 sets up a for loop that iterates once per newline (\n) present in $data. This is made possible by the explode() function which “returns an array of strings, each of which is a substring of string formed by splitting it on boundaries formed by the string delimiter“. On line 61 they explode() each member of the array by a space (” “), and set the limit as 2 meaning that it will only split the string by the first space. Here’s an example to look at:
For this example I replaced $data with “friends love\nhappiness joy tranquility prosperity” and you can see that the first array key of $_SESSION was set to “friends” with the value “love”. The second array key was set to “happiness” with the value “joy tranquility prosperity”. For our hack we need to create an array key called “admin” with its value set to “1”. We can create the key like this:
Then all we have to do it set “admin” == 1:
