<?php
if (extract_teamname_from_cookie("hackme") === false) {
exit;
}
define('SHPA_WEB_PAGE_TO_ROOT', '');
require_once SHPA_WEB_PAGE_TO_ROOT . 'function.php';
shpaEchoHeader();
shpaCheckAuth();
// The page we wish to display
$file = $_GET['page'];
$attachment_location = $_SERVER["DOCUMENT_ROOT"] . "/hack.me/" . base64_decode($file);
//die($attachment_location);
if (file_exists($attachment_location)) {
if (strpos(realpath($attachment_location), "/var/www/") !== 0) {
die;
}
header($_SERVER["SERVER_PROTOCOL"] . " 200 OK");
header("Cache-Control: public");
// needed for i.e.
header("Content-Transfer-Encoding: Binary");
header("Content-Length:" . filesize($attachment_location));
header("Content-Disposition: attachment; filename=file.pdf");
header("Content-Type: application/pdf");
$data = file_get_contents($attachment_location);
$data = sharifctf_internal_put_it($data, "hackme");
echo $data;
die;
} else {
die("Error: File not found.");
}
<?php
//if (extract_teamname_from_cookie("technews") === false)
// exit;
if (isset($_GET["id"]) && strpos($_GET["id"], 'jpg') !== false) {
# echo "$_GET["id"]";
header('Cache-control: private');
preg_match("/^php:\\/\\/.*resource=([^|]*)/i", trim($_GET["id"]), $matches);
//die ("<pre>" . trim($_GET["id"]));
//die ("<pre>///".print_r($matches, true)."///");
if (isset($matches[1])) {
$_GET["id"] = $matches[1];
}
if (file_exists("./" . $_GET["id"]) == false) {
die("file not found");
}
if (substr(realpath("./" . $_GET["id"]), 0, 24) != "/var/www/technology-news") {
die(".");
}
header('Content-Type: image/jpg');
header('Content-Length: ' . filesize($_GET["id"]));
header('Content-Disposition: filename=' . $_GET["id"]);
$img_data = file_get_contents($_GET["id"]);
$img_data = sharifctf_internal_put_it($img_data, "technews");
echo $img_data;
} else {
echo "file not found";
}
