[GDOUCTF 2023]受不了一点(变量覆盖)
<?php
error_reporting(0);
header("Content-type:text/html;charset=utf-8");
if(isset($_POST['gdou'])&&isset($_POST['ctf'])){
$b=$_POST['ctf'];
$a=$_POST['gdou'];
if($_POST['gdou']!=$_POST['ctf'] && md5($a)===md5($b)){
if(isset($_COOKIE['cookie'])){
if ($_COOKIE['cookie']=='j0k3r'){
if(isset($_GET['aaa']) && isset($_GET['bbb'])){
$aaa=$_GET['aaa'];
$bbb=$_GET['bbb'];
if($aaa==114514 && $bbb==114514 && $aaa!=$bbb){
$give = 'cancanwordflag';
$get ='hacker!';
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
die($give);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
die($get);
}
foreach ($_POST as $key => $value) {
$$key = $value;
}
foreach ($_GET as $key => $value) {
$$key = $$value;
}
echo $flag;
}else{
echo "洗洗睡吧";
}
}else{
echo "行不行啊细狗";
}
}
}
else {
echo '菜菜';
}
}else{
echo "就这?";
}
}else{
echo "别来沾边";
}
其中这个函数的意义是这样的
foreach ($_POST as $key => $value) {
KaTeX parse error: Can't use function '$' in math mode at position 7: key = $̲value; 将上传的post…key=$value这里相当于
f
l
a
g
=
flag=
flag=value
也就是
1
=
f
l
a
g
之后
f
o
r
e
a
c
h
(
1=flag 之后 foreach (
1=flag之后foreach(_GET as $key => $value) {
k
e
y
=
key =
key=value;
上传1=flag
可以得到
1
=
1=
1=flag
上传flag=1
得到$flag=
1
也就相当于
1 也就相当于
1也就相当于flag=$flag
这样就绕过了变量覆盖
就可以执行echo $flag
得到flag