http://www.shiyanbar.com/ctf/1846
拐弯抹角
如何欺骗服务器,才能拿到Flag?
格式:CTF{}
解题链接: http://ctf5.shiyanbar.com/10/indirection/
解:
mixed str_replace ( mixed $search , mixed $replace , mixed $subject [, int &$count ] )
该函数返回一个字符串或者数组。该字符串或数组是将 subject 中全部的 search 都被 replace 替换之后的结果。
$code = str_replace($flag, 'CTF{???}', file_get_contents('./index.php'));所以从这句话就知道结果
在url后面添加/index.php
得到Flag: CTF{PSEDUO_STATIC_DO_YOU_KNOW}
拐弯抹角
如何欺骗服务器,才能拿到Flag?
格式:CTF{}
解题链接: http://ctf5.shiyanbar.com/10/indirection/
解:
<?php
// code by SEC@USTC
echo '<html><head><meta http-equiv="charset" content="gbk"></head><body>';
$URL = $_SERVER['REQUEST_URI'];
//echo 'URL: '.$URL.'<br/>';
$flag = "CTF{???}";
$code = str_replace($flag, 'CTF{???}', file_get_contents('./index.php'));
$stop = 0;
//ÕâµÀÌâÄ¿±¾ÉíÒ²ÓнÌѧµÄÄ¿µÄ
//µÚÒ»£¬ÎÒÃÇ¿ÉÒÔ¹¹Ôì /indirection/a/../ /indirection/./ µÈµÈÕâÒ»ÀàµÄ
//ËùÒÔ£¬µÚÒ»¸öÒªÇó¾ÍÊDz»µÃ³öÏÖ ./
if($flag && strpos($URL, './') !== FALSE){
$flag = "";
$stop = 1; //Pass
}
//µÚ¶þ£¬ÎÒÃÇ¿ÉÒÔ¹¹Ôì \ À´´úÌæ±»¹ýÂ赀 /
//ËùÒÔ£¬µÚ¶þ¸öÒªÇó¾ÍÊDz»µÃ³öÏÖ ../
if($flag && strpos($URL, '\\') !== FALSE){
$flag = "";
$stop = 2; //Pass
}
//µÚÈý£¬ÓеÄϵͳ´óСдͨÓã¬ÀýÈç indirectioN/
//ÄãÒ²¿ÉÒÔÓÃ?ºÍ#µÈµÈµÄ×Ö·ûÈƹý£¬ÕâÐèҪͳһ½â¾ö
//ËùÒÔ£¬µÚÈý¸öÒªÇó¶Ô¿ÉÒÔÓõÄ×Ö·û×öÁËÏÞÖÆ£¬a-z / ºÍ .
$matches = array();
preg_match('/^([0-9a-z\/.]+)$/', $URL, $matches);
if($flag && empty($matches) || $matches[1] != $URL){
$flag = "";
$stop = 3; //Pass
}
//µÚËÄ£¬¶à¸ö / Ò²ÊÇ¿ÉÒÔµÄ
//ËùÒÔ£¬µÚËĸöÒªÇóÊDz»µÃ³öÏÖ //
if($flag && strpos($URL, '//') !== FALSE){
$flag = "";
$stop = 4; //Pass
}
//µÚÎ壬ÏÔÈ»¼ÓÉÏindex.php»òÕß¼õÈ¥index.php¶¼ÊÇ¿ÉÒÔµÄ
//ËùÒÔÎÒÃÇÏÂÒ»¸öÒªÇó¾ÍÊDZØÐë°üº¬/index.php£¬²¢ÇÒÒԴ˽áβ
if($flag && substr($URL, -10) !== '/index.php'){
$flag = "";
$stop = 5; //Not Pass
}
//µÚÁù£¬ÎÒÃÇÖªµÀÔÚindex.phpºóÃæ¼Ó.Ò²ÊÇ¿ÉÒÔµÄ
//ËùÒÔÎÒÃǽûÖ¹pºóÃæ³öÏÖ.Õâ¸ö·ûºÅ
if($flag && strpos($URL, 'p.') !== FALSE){
$flag = "";
$stop = 6; //Not Pass
}
//µÚÆߣ¬ÏÖÔÚÊÇ×î¹Ø¼üµÄʱ¿Ì
//ÄãµÄ$URL±ØÐëÓë/indirection/index.phpÓÐËù²»Í¬
if($flag && $URL == '/indirection/index.php'){
$flag = "";
$stop = 7; //Not Pass
}
if(!$stop) $stop = 8;
echo 'Flag: '.$flag;
echo '<hr />';
for($i = 1; $i < $stop; $i++)
$code = str_replace('//Pass '.$i, '//Pass', $code);
for(; $i < 8; $i++)
$code = str_replace('//Pass '.$i, '//Not Pass', $code);
echo highlight_string($code, TRUE);
echo '</body></html>';
mixed str_replace ( mixed $search , mixed $replace , mixed $subject [, int &$count ] )
该函数返回一个字符串或者数组。该字符串或数组是将 subject 中全部的 search 都被 replace 替换之后的结果。
$code = str_replace($flag, 'CTF{???}', file_get_contents('./index.php'));所以从这句话就知道结果
在url后面添加/index.php
得到Flag: CTF{PSEDUO_STATIC_DO_YOU_KNOW}