通过阅读源代码,发现只是简单地将cookie做了些字符替换,再用base64解码了20次。于是我们只需要反过来走一遍即可。大部分代码甚至可以直接用他。
<?php
$val_id="admin";
$val_pw="admin";
for($i=0;$i<20;$i++)
{
$val_id=base64_encode($val_id);
$val_pw=base64_encode($val_pw);
}
$val_id=str_replace("1","!",$val_id);
$val_id=str_replace("2","@",$val_id);
$val_id=str_replace("3","$",$val_id);
$val_id=str_replace("4","^",$val_id);
$val_id=str_replace("5","&",$val_id);
$val_id=str_replace("6","*",$val_id);
$val_id=str_replace("7","(",$val_id);
$val_id=str_replace("8",")",$val_id);
$val_pw=str_replace("1","!",$val_pw);
$val_pw=str_replace("2","@",$val_pw);
$val_pw=str_replace("3","$",$val_pw);
$val_pw=str_replace("4","^",$val_pw);
$val_pw=str_replace("5","&",$val_pw);
$val_pw=str_replace("6","*",$val_pw);
$val_pw=str_replace("7","(",$val_pw);
$val_pw=str_replace("8",")",$val_pw);
$url = "http://webhacking.kr/challenge/web/web-06/index.php";
$ch = curl_init();
$cookie = "PHPSESSID=ol8a0r79n9j5ocopvd542sslq0; user=" . $val_id . "; password=" . $val_pw;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_exec($ch);
curl_close($ch);
?>