Rating: 1.0
It has source code!
http://52.34.159.157/web200/source.php
Vulnerability 1: extract
Do not use this function on production, please.
extract($_POST<span>);
Vulnerability 2: PHP type jugling error, causing MD5 magic hash work
</span> if ($password == $secret_password<span>) {
require </span>'secret.php'<span>;
</span>$hash_file = substr(md5($secret . $filename), 0, 6<span>);
if (</span>$_POST['hash'] == $hash_file<span>) {
echo </span>file_get_contents($filename<span>);
}
</span><span>If md5($secret.$filename) starts like 0e1234 and $_POST['hash'] is 0, since '0' == '0e1234' in PHP, it prints file contents of $filename.
Since I don't know the secret, I just brute forced without knowing the actual hash.
I've attached the exploit code.
</span>