# old-04 (300)

아래와 같은 폼이 보인다.

![](/files/-LymG4H4zho-zaf129Pn)

view-source를 클릭해 나온 코드의 일부가 다음과 같다.

```php
<?php
  sleep(1); // anti brute force
  if((isset($_SESSION['chall4'])) && ($_POST['key'] == $_SESSION['chall4'])) solve(4);
  $hash = rand(10000000,99999999)."salt_for_you";
  $_SESSION['chall4'] = $hash;
  for($i=0;$i<500;$i++) $hash = sha1($hash);
?><br>
<form method=post>
<table border=0 align=center cellpadding=10>
<tr><td colspan=3 style=background:silver;color:green;><b><?=$hash?></b></td></tr>
```

`{10000000~99999999 중 랜덤한 값}salt_for_you` 가 `$_SESSION['chall4']` 의 값이다.

이 값을 sha1로 500번 해싱한 결과가 화면에 초록색 글씨로 보여주었던 값이다.

초록색 글씨로 나타난 값을 통해 `$_SESSION['chall4']` 값을 알아내 폼으로 제출하면 문제가 풀린다.

아래 코드를 통해 레인보우 테이블을 만들고 답을 구했다.

시간이 꽤 걸린다.

```python
import hashlib


def hash(num):
    m = f'{num}salt_for_you'
    for _ in range(500):
        m = hashlib.sha1(m.encode('utf-8')).hexdigest()
    return m


f = open('old-04/dictionary.txt', 'w')
for num in range(10000000, 99999999):
    f.write(f'{num}: {hash(num)}\n')
f.close()
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/webhacking.kr/old-04-300.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.