WebHacking.kr Challenge old-06

<?php include "../../config.php"; if($_GET['view_source']) view_source(); if(!$_COOKIE['user']){ $val_id="guest"; $val_pw="123qwe"; for($i=0;$i<20;$i++){ $val_id=base64_encode($val_id); $val_pw=base64_encode($val_pw); } $val_id=str_replace("1","!",$val_id); $val_id=str_replace("2","@",$val_id); $val_id=str_replace("3","$",$val_id); $val_id=str_replace("4","^",$val_id); $val_id=str_replace("5","&",$val_id); $val_id=str_replace("6","*",$val_id); $val_id=str_replace("7","(",$val_id); $val_id=str_replace("8",")",$val_id); $val_pw=str_replace("1","!",$val_pw); $val_pw=str_replace("2","@",$val_pw); $val_pw=str_replace("3","$",$val_pw); $val_pw=str_replace("4","^",$val_pw); $val_pw=str_replace("5","&",$val_pw); $val_pw=str_replace("6","*",$val_pw); $val_pw=str_replace("7","(",$val_pw); $val_pw=str_replace("8",")",$val_pw); Setcookie("user",$val_id,time()+86400,"/challenge/web-06/"); Setcookie("password",$val_pw,time()+86400,"/challenge/web-06/"); echo("<meta http-equiv=refresh content=0>"); exit; } ?> <html> <head> <title>Challenge 6</title> <style type="text/css"> body { background:black; color:white; font-size:10pt; } </style> </head> <body> <?php $decode_id=$_COOKIE['user']; $decode_pw=$_COOKIE['password']; $decode_id=str_replace("!","1",$decode_id); $decode_id=str_replace("@","2",$decode_id); $decode_id=str_replace("$","3",$decode_id); $decode_id=str_replace("^","4",$decode_id); $decode_id=str_replace("&","5",$decode_id); $decode_id=str_replace("*","6",$decode_id); $decode_id=str_replace("(","7",$decode_id); $decode_id=str_replace(")","8",$decode_id); $decode_pw=str_replace("!","1",$decode_pw); $decode_pw=str_replace("@","2",$decode_pw); $decode_pw=str_replace("$","3",$decode_pw); $decode_pw=str_replace("^","4",$decode_pw); $decode_pw=str_replace("&","5",$decode_pw); $decode_pw=str_replace("*","6",$decode_pw); $decode_pw=str_replace("(","7",$decode_pw); $decode_pw=str_replace(")","8",$decode_pw); for($i=0;$i<20;$i++){ $decode_id=base64_decode($decode_id); $decode_pw=base64_decode($decode_pw); } echo("<hr><a href=./?view_source=1 style=color:yellow;>view-source</a><br><br>"); echo("ID : $decode_id<br>PW : $decode_pw<hr>"); if($decode_id=="admin" && $decode_pw=="nimda"){ solve(6); } ?> </body> </html>

if($decode_id=="admin" && $decode_pw=="nimda"){ solve(6);

$decode_id=$_COOKIE['user']; $decode_pw=$_COOKIE['password']; $decode_id=str_replace("!","1",$decode_id); $decode_id=str_replace("@","2",$decode_id); $decode_id=str_replace("$","3",$decode_id); $decode_id=str_replace("^","4",$decode_id); $decode_id=str_replace("&","5",$decode_id); $decode_id=str_replace("*","6",$decode_id); $decode_id=str_replace("(","7",$decode_id); $decode_id=str_replace(")","8",$decode_id); $decode_pw=str_replace("!","1",$decode_pw); $decode_pw=str_replace("@","2",$decode_pw); $decode_pw=str_replace("$","3",$decode_pw); $decode_pw=str_replace("^","4",$decode_pw); $decode_pw=str_replace("&","5",$decode_pw); $decode_pw=str_replace("*","6",$decode_pw); $decode_pw=str_replace("(","7",$decode_pw); $decode_pw=str_replace(")","8",$decode_pw); for($i=0;$i<20;$i++){ $decode_id=base64_decode($decode_id); $decode_pw=base64_decode($decode_pw); }

import base64 temp_id="admin" for i in range(0,20): temp_id = base64.b64encode(temp_id) temp_id.replace("1","!") temp_id.replace("2","@") temp_id.replace("3","$") temp_id.replace("4","^") temp_id.replace("5","&") temp_id.replace("6","*") temp_id.replace("7","(") temp_id.replace("8",")") print (temp_id)

import base64 temp_id="admin" temp_id = temp_id.encode('utf-8') for i in range(0,20): temp_id = base64.b64encode(temp_id) temp_id = temp_id.decode('utf-8') temp_id.replace("1","!") temp_id.replace("2","@") temp_id.replace("3","$") temp_id.replace("4","^") temp_id.replace("5","&") temp_id.replace("6","*") temp_id.replace("7","(") temp_id.replace("8",")") print (temp_id)