What’s the secret? Let’s find out!
This time they give us the source code to index.php to look at. This is because when you right click > view source on a php page in your browser, only the html is visible, and not the php code. The source looks like this:
So we can see the the data we submit in the form is referred to as $_POST[‘secret’]. It is being compared to a variable called $secret, and if the two are equal then access is granted. So if we know the value of $secret we know what to enter in the form to be authenticated. But wait, what is the value of $secret? It doesn’t appear to be set anywhere in the source code.
Well this is line looks interesting:
What this is saying is, include the contents of “secret.inc” into the source code of index.php, as if it were actually copy/pasted in there. For those familiar with C this is similar to including header files.
I wonder if there are any secrets in secret.inc:
When I loaded the file in my browser it appeared to just be a blank page, but when I hit view source $secret was revealed!