showHeader(); # Highlighter BBCode if (isset($_GET['highlight']) && $_GET['highlight'] === 'christmas') { echo GWF_Message::display('[PHP]'.file_get_contents($_SERVER['SCRIPT_FILENAME']).'[/PHP]'); require_once('challenge/html_foot.php'); return; } ############################### ### Here is your exploit :) ### ############################### $code = '$filename = \'pages/\'.(isset($_GET["file"])?$_GET["file"]:"welcome").\'.html\';'; $code_emulate_pnb = '$filename = Common::substrUntil($filename, "\\0");'; # Emulate Poison Null Byte for PHP>=5.3.4 $code2 = 'include $filename;'; ### End of exploit ### # Show the mission box $url = 'index.php?file='; $ex = array('welcome', 'news', 'forums'); $showsrc1 = 'index.php?show=source'; $showsrc2 = 'index.php?highlight=christmas'; foreach ($ex as $i => $e) { $ex[$i] = htmlspecialchars($url.$e); } echo GWF_Box::box($chall->lang('info', array(GWF_Message::display('[PHP]'.$code.PHP_EOL.$code2.'[/PHP]'), '../solution.php', $showsrc1, $showsrc2, $ex[0], $ex[1], $ex[2])), $chall->lang('title')); # Execute the code, using eval. GWF_Debug::setDieOnError(false); GWF_Debug::setMailOnError(false); eval($code.$code_emulate_pnb); # eval the first line echo '