old-06 (100)

첫 화면이다.

view-source를 클릭해 본 코드는 아래와 같다.

<?php
include "../../config.php";
if($_GET['view_source']) view_source();
if(!$_COOKIE['user']){
  $val_id="guest";
  $val_pw="123qwe";
  for($i=0;$i<20;$i++){
    $val_id=base64_encode($val_id);
    $val_pw=base64_encode($val_pw);
  }
  $val_id=str_replace("1","!",$val_id);
  $val_id=str_replace("2","@",$val_id);
  $val_id=str_replace("3","$",$val_id);
  $val_id=str_replace("4","^",$val_id);
  $val_id=str_replace("5","&",$val_id);
  $val_id=str_replace("6","*",$val_id);
  $val_id=str_replace("7","(",$val_id);
  $val_id=str_replace("8",")",$val_id);

  $val_pw=str_replace("1","!",$val_pw);
  $val_pw=str_replace("2","@",$val_pw);
  $val_pw=str_replace("3","$",$val_pw);
  $val_pw=str_replace("4","^",$val_pw);
  $val_pw=str_replace("5","&",$val_pw);
  $val_pw=str_replace("6","*",$val_pw);
  $val_pw=str_replace("7","(",$val_pw);
  $val_pw=str_replace("8",")",$val_pw);

  Setcookie("user",$val_id,time()+86400,"/challenge/web-06/");
  Setcookie("password",$val_pw,time()+86400,"/challenge/web-06/");
  echo("<meta http-equiv=refresh content=0>");
  exit;
}
?>
<html>
<head>
<title>Challenge 6</title>
<style type="text/css">
body { background:black; color:white; font-size:10pt; }
</style>
</head>
<body>
<?php
$decode_id=$_COOKIE['user'];
$decode_pw=$_COOKIE['password'];

$decode_id=str_replace("!","1",$decode_id);
$decode_id=str_replace("@","2",$decode_id);
$decode_id=str_replace("$","3",$decode_id);
$decode_id=str_replace("^","4",$decode_id);
$decode_id=str_replace("&","5",$decode_id);
$decode_id=str_replace("*","6",$decode_id);
$decode_id=str_replace("(","7",$decode_id);
$decode_id=str_replace(")","8",$decode_id);

$decode_pw=str_replace("!","1",$decode_pw);
$decode_pw=str_replace("@","2",$decode_pw);
$decode_pw=str_replace("$","3",$decode_pw);
$decode_pw=str_replace("^","4",$decode_pw);
$decode_pw=str_replace("&","5",$decode_pw);
$decode_pw=str_replace("*","6",$decode_pw);
$decode_pw=str_replace("(","7",$decode_pw);
$decode_pw=str_replace(")","8",$decode_pw);

for($i=0;$i<20;$i++){
  $decode_id=base64_decode($decode_id);
  $decode_pw=base64_decode($decode_pw);
}

echo("<hr><a href=./?view_source=1 style=color:yellow;>view-source</a><br><br>");
echo("ID : $decode_id<br>PW : $decode_pw<hr>");

if($decode_id=="admin" && $decode_pw=="nimda"){
  solve(6);
}
?>
</body>
</html>

코드 위쪽의 $val_id 와 $var_pw 를 구하는 부분을 취하여 초기값을 guest , 123qwe 가 아니라 admin , nimda 로 하여 값을 다시 구한다.

구한 값으로 user와 password라는 이름의 쿠키의 값을 설정하면 문제가 풀린다.

Previousold-05 (300)Nextold-07 (300)

Last updated 5 years ago

Was this helpful?

<?php include "../../config.php"; if($_GET['view_source']) view_source(); if(!$_COOKIE['user']){ $val_id="guest"; $val_pw="123qwe"; for($i=0;$i<20;$i++){ $val_id=base64_encode($val_id); $val_pw=base64_encode($val_pw); } $val_id=str_replace("1","!",$val_id); $val_id=str_replace("2","@",$val_id); $val_id=str_replace("3","$",$val_id); $val_id=str_replace("4","^",$val_id); $val_id=str_replace("5","&",$val_id); $val_id=str_replace("6","*",$val_id); $val_id=str_replace("7","(",$val_id); $val_id=str_replace("8",")",$val_id); $val_pw=str_replace("1","!",$val_pw); $val_pw=str_replace("2","@",$val_pw); $val_pw=str_replace("3","$",$val_pw); $val_pw=str_replace("4","^",$val_pw); $val_pw=str_replace("5","&",$val_pw); $val_pw=str_replace("6","*",$val_pw); $val_pw=str_replace("7","(",$val_pw); $val_pw=str_replace("8",")",$val_pw); Setcookie("user",$val_id,time()+86400,"/challenge/web-06/"); Setcookie("password",$val_pw,time()+86400,"/challenge/web-06/"); echo("<meta http-equiv=refresh content=0>"); exit; } ?> <html> <head> <title>Challenge 6</title> <style type="text/css"> body { background:black; color:white; font-size:10pt; } </style> </head> <body> <?php $decode_id=$_COOKIE['user']; $decode_pw=$_COOKIE['password']; $decode_id=str_replace("!","1",$decode_id); $decode_id=str_replace("@","2",$decode_id); $decode_id=str_replace("$","3",$decode_id); $decode_id=str_replace("^","4",$decode_id); $decode_id=str_replace("&","5",$decode_id); $decode_id=str_replace("*","6",$decode_id); $decode_id=str_replace("(","7",$decode_id); $decode_id=str_replace(")","8",$decode_id); $decode_pw=str_replace("!","1",$decode_pw); $decode_pw=str_replace("@","2",$decode_pw); $decode_pw=str_replace("$","3",$decode_pw); $decode_pw=str_replace("^","4",$decode_pw); $decode_pw=str_replace("&","5",$decode_pw); $decode_pw=str_replace("*","6",$decode_pw); $decode_pw=str_replace("(","7",$decode_pw); $decode_pw=str_replace(")","8",$decode_pw); for($i=0;$i<20;$i++){ $decode_id=base64_decode($decode_id); $decode_pw=base64_decode($decode_pw); } echo("<hr><a href=./?view_source=1 style=color:yellow;>view-source</a><br><br>"); echo("ID : $decode_id<br>PW : $decode_pw<hr>"); if($decode_id=="admin" && $decode_pw=="nimda"){ solve(6); } ?> </body> </html>