Rating: 1.0

It has source code!
Vulnerability 1: extract
Do not use this function on production, please.
Vulnerability 2: PHP type jugling error, causing MD5 magic hash work
</span>        if ($password == $secret_password<span>) {
          require </span>'secret.php'<span>;
          </span>$hash_file = substr(md5($secret . $filename), 0, 6<span>);
          if (</span>$_POST['hash'] == $hash_file<span>) {
            echo </span>file_get_contents($filename<span>);
</span><span>If md5($secret.$filename) starts like 0e1234 and $_POST['hash'] is 0, since '0' == '0e1234' in PHP, it prints file contents of $filename.
Since I don't know the secret, I just brute forced without knowing the actual hash.

I've attached the exploit code.


Original writeup (https://github.com/Jinmo/ctfs/blob/master/xiomara2017/web200.py).