Deskripsi soalnya:
Setelah diklik:
Ketika level 6 diklik, muncul source codenya:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title>level6</title> | |
| <link rel='stylesheet' href='style.css' type='text/css'> | |
| </head> | |
| <body> | |
| <?php | |
| require 'flag.php'; | |
| if (isset ($_GET['password'])) { | |
| if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE) | |
| echo '<p class="alert">You password must be alphanumeric</p>'; | |
| else if (strpos ($_GET['password'], '--') !== FALSE) | |
| die('Flag: ' . $flag); | |
| else | |
| echo '<p class="alert">Invalid password</p>'; | |
| } | |
| ?> | |
| <section class="login"> | |
| <div class="title"> | |
| <a href="./index.txt">Level 6</a> | |
| </div> | |
| <form method="get"> | |
| <input type="text" required name="password" placeholder="Password" /><br/> | |
| <input type="submit"/> | |
| </form> | |
| </section> | |
| </body> | |
| </html> | |
Cara bypass ereg cukup mudah, tambahkan saja “% 00”, jadi querynya ?password=a% 00--
(harusnya tanpa spasi, entah kenapa kalau tanpa spasi, terremove oleh blogger, padahal %01 %02 gpp ) Dan hasilnya
Masalah ereg dengan ini adalah bug yang dianggap bukan bug.
No comments:
Post a Comment