Skip to content

Latest commit

 

History

History
52 lines (37 loc) · 1.3 KB

challenge-39.md

File metadata and controls

52 lines (37 loc) · 1.3 KB

Challenge

<?php
    if (isset($_GET['view-source'])) {
        show_source(__FILE__);
        exit();
    }
    include("./inc.php"); // key & database config
 
    function err($str){ die("<script>alert(\"$str\");window.location.href='./';</script>"); }
 
    $nonce = mt_rand();
 
    extract($_GET); // this is my backdoor 🙂
     
    if (empty($_POST['key'])) {
 
        err("Parameter Missing!");
    }
 
    if ($_POST['key'] !== $key) {
        err("You Are Not Authorized!");
    }
 
    $conn = mysql_connect($host, $user, $pass);
 
    if (!$conn) {
        err("Database Error, Please Contact with GameMaster!");
    }
 
    $query = isset($_POST['query']) ? bin2hex($_POST['query']) : "SELECT flag FROM forward.flag";
    $res = mysql_query($query);
    if (FALSE == $res) {
        err("Database Error, Please Contact with GameMaster!");
    }
 
    $row = mysql_fetch_array($res);
 
    if ($debug) {
        echo "HOST:\t{$host}<br/>";
        echo "USER:\t{$user}<br/>";
    }
 
    echo "<del>FLAG:\t0ctf{</del>" . sha1($nonce . md5($row['flag'])) . "<del>}</del><br/>"; // not real flag
 
    mysql_close($conn);

Solution

Refference