Type: web
URL: http://www.shiyanbar.com/ctf/1808
attack: vim cache file
stating:
vim cache files .submit.php.swp
Writeup:
View source code for suspicious
<meta name="admin" content="[email protected]" />
<meta name="editor" content="Vim" />
Judge may be related to cache file with vim, guess cache files /.step1.php.swp,/.step2.php.swp,/.step3.php.swp,/.index.php.swp,/.submit.php.swp found /.submit.php.swp message appears.
Follow the prompts
“ if(strlen($token)!=10) die(‘fail’); if($token!=‘0’) die(‘fail’);
$sql = “SELECT count(*) as num from `user` where token=’$token’ AND
email=’$emailAddress’”; ”
Analyzing token is a string of characters and a length of 10 to 0 at the beginning, the token = '0e12345678'
prompted "If the login is not an administrator of the e-mail address Die ()", is determined [email protected]
Finally, payload:
/ 10 /upload/[email protected]&token=0e12345678
FLAG
SimCTF {huachuan_TdsWX}