<?php if (extract_teamname_from_cookie("hackme") === false) { exit; } define('SHPA_WEB_PAGE_TO_ROOT', ''); require_once SHPA_WEB_PAGE_TO_ROOT . 'function.php'; shpaEchoHeader(); shpaCheckAuth(); // The page we wish to display $file = $_GET['page']; $attachment_location = $_SERVER["DOCUMENT_ROOT"] . "/hack.me/" . base64_decode($file); //die($attachment_location); if (file_exists($attachment_location)) { if (strpos(realpath($attachment_location), "/var/www/") !== 0) { die; } header($_SERVER["SERVER_PROTOCOL"] . " 200 OK"); header("Cache-Control: public"); // needed for i.e. header("Content-Transfer-Encoding: Binary"); header("Content-Length:" . filesize($attachment_location)); header("Content-Disposition: attachment; filename=file.pdf"); header("Content-Type: application/pdf"); $data = file_get_contents($attachment_location); $data = sharifctf_internal_put_it($data, "hackme"); echo $data; die; } else { die("Error: File not found."); }
<?php if (extract_teamname_from_cookie("technews") === false) { die("\n\n\n"); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Technology News</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link href="style.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrap"> <div id="header"> <div id="topbar"> <h1 id="sitename"><a href="index.php">Technology<span>News</span></a><span></span></h1> <form action="search.php" method="get"> <div id="topsearch"> <input type="text" name="query" size="25" /> </div> </form> </div> <div id="headercontent"> <h2 id="description">Technology News</h2> <div id="headerlinks"><img src="files/images/rss.jpg" alt="" width="128" height="70" /></div> </div> <div id="topnav"> <ul> <li class="active"><a href="index.php">Home</a></li>