<?php if (extract_teamname_from_cookie("hackme") === false) { exit; } define('SHPA_WEB_PAGE_TO_ROOT', ''); require_once SHPA_WEB_PAGE_TO_ROOT . 'function.php'; shpaEchoHeader(); shpaCheckAuth(); // The page we wish to display $file = $_GET['page']; $attachment_location = $_SERVER["DOCUMENT_ROOT"] . "/hack.me/" . base64_decode($file); //die($attachment_location); if (file_exists($attachment_location)) { if (strpos(realpath($attachment_location), "/var/www/") !== 0) { die; } header($_SERVER["SERVER_PROTOCOL"] . " 200 OK"); header("Cache-Control: public"); // needed for i.e. header("Content-Transfer-Encoding: Binary"); header("Content-Length:" . filesize($attachment_location)); header("Content-Disposition: attachment; filename=file.pdf"); header("Content-Type: application/pdf"); $data = file_get_contents($attachment_location); $data = sharifctf_internal_put_it($data, "hackme"); echo $data; die; } else { die("Error: File not found."); }
<?php //if (extract_teamname_from_cookie("technews") === false) // exit; if (isset($_GET["id"]) && strpos($_GET["id"], 'jpg') !== false) { # echo "$_GET["id"]"; header('Cache-control: private'); preg_match("/^php:\\/\\/.*resource=([^|]*)/i", trim($_GET["id"]), $matches); //die ("<pre>" . trim($_GET["id"])); //die ("<pre>///".print_r($matches, true)."///"); if (isset($matches[1])) { $_GET["id"] = $matches[1]; } if (file_exists("./" . $_GET["id"]) == false) { die("file not found"); } if (substr(realpath("./" . $_GET["id"]), 0, 24) != "/var/www/technology-news") { die("."); } header('Content-Type: image/jpg'); header('Content-Length: ' . filesize($_GET["id"])); header('Content-Disposition: filename=' . $_GET["id"]); $img_data = file_get_contents($_GET["id"]); $img_data = sharifctf_internal_put_it($img_data, "technews"); echo $img_data; } else { echo "file not found"; }