本文介绍了在Zer0pts2020挑战中如何利用basename函数和正则匹配进行绕过,详细解析了源码中的正则验证逻辑,并展示了如何通过在URL末尾添加%ff来构造payload,成功绕过限制并获取config.php的源码。
知识点:
bypass绕过
具体绕过:
basename(),$_SERVER['PHP_SELF']和正则匹配
解题过程:
打开source发现源码
源码:
<?php
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if (hash_equals($secret, $guess)) {
$message = 'Congratulations! The flag is: ' . FLAG;
} else {
$message = 'Wrong.';
最低0.47元/天 解锁文章
287
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
