各种绕过
<?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
if ($_GET['uname'] == $_POST['passwd'])
print 'passwd can not be uname.';
else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))
die('Flag: '.$flag);
else
print 'sorry!';
}
?>
陌生函数sha1,存在构造数组的方式进行绕过
(sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))
Uname和id是get passwd是post
且 passwd can not be uname
构造
Web8
<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>
extract 可以将$_GET数组的值转为变量,默认是如果有冲突,则覆盖已有的变量
file_get_contents参考的
构造
字符正则
<?php
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
if( $IM ){
die('key is: '.$key);
}
?>
/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i将式中正则表达式转化成符号
构造
http://120.24.86.145:8002/web10/?id=keyaakey11111key:/a/aakeya.
细心
用dirsearch扫描目录
index.php里什么都没有
http://120.24.86.145:8002/web13//resusl.php?x=admin