I spent a great deal of time using index.php and README as filename parameters, ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		benmanns on Aug 30, 2012 \| parent \| context \| favorite \| on: Stripe CTF Writeup I spent a great deal of time using index.php and README as filename parameters, and using the contents of those files as the password attempt. This attack worked in my local environment, but not on the live ctf. It took a while to realize that `file_get_contents('nonexistent') === ''`, raising no exceptions.

sanderjd on Sept 1, 2012 | [–]

I used README and just manually stripped out all the whitespace. It worked fine. But a non-existent file is way more elegant I suppose.

fooandbarify on Aug 30, 2012 | [–]

file_get_contents('nonexistent') actually returns false, but calling trim() on that coerced it into an empty string.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact