<?php
  
include "../../config.php";
  if(
$_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 37</title>
</head>
<body>
<?php
  $db 
dbconnect();
  
$query "select flag from challenge where idx=37";
  
$flag mysqli_fetch_array(mysqli_query($db,$query))['flag'];
  
$time time();

  
$p fopen("./tmp/tmp-{$time}","w");
  
fwrite($p,"127.0.0.1");
  
fclose($p);

  
$file_nm $_FILES['upfile']['name'];
  
$file_nm str_replace("<","",$file_nm);
  
$file_nm str_replace(">","",$file_nm);
  
$file_nm str_replace(".","",$file_nm);
  
$file_nm str_replace("/","",$file_nm);
  
$file_nm str_replace(" ","",$file_nm);

  if(
$file_nm){
    
$p fopen("./tmp/{$file_nm}","w");
    
fwrite($p,$_SERVER['REMOTE_ADDR']);
    
fclose($p);
  }

  echo 
"<pre>";
  
$dirList scandir("./tmp");
  for(
$i=0;$i<=count($dirList);$i++){
    echo 
"{$dirList[$i]}\n";
  }
  echo 
"</pre>";

  
$host file_get_contents("tmp/tmp-{$time}");

  
$request "GET /?{$flag} HTTP/1.0\r\n";
  
$request .= "Host: {$host}\r\n";
  
$request .= "\r\n";

  
$socket fsockopen($host,7777,$errstr,$errno,1);
  
fputs($socket,$request);
  
fclose($socket);

  if(
count($dirList) > 20system("rm -rf ./tmp/*");
?>
<form method=post enctype="multipart/form-data" action=index.php>
<input type=file name=upfile><input type=submit>
</form>
<a href=./?view_source=1>view-source</a>
</body>
</html>