CHHHCHHOH 's BLOG

[鹤城杯 2021]EasyP

<?php

include 'utils.php';

if (isset($_POST['guess'])) {
    $guess = (string) $_POST['guess'];
    if ($guess === $secret) {
        $message = 'Congratulations! The flag is: ' . $flag;
    } else {
        $message = 'Wrong. Try Again';
    }
}

if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
    exit("hacker :)");
}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
    exit("hacker :)");
}

if (isset($_GET['show_source'])) {
    highlight_file(basename($_SERVER['PHP_SELF']));
    exit();
}else{
    show_source(__FILE__);
}
?> 

$_SERVER['PHP_SELF']是调用的脚本的路径=>
$_SERVER['REQUEST_URI']的作用是取得当前URI,也就是除域名外后面的完整的地址路径
如 http:xxx/index.php/flag.php?exp=ctf
$_SERVER['PHP_SELF']=index.php/flag.php $_SERVER['REQUEST_URI']=index.php/flag.php?exp=ctf
basename()会删除文件名开头的非 ASCII 字符和中文,用中文字符进行绕过绕过第一个正则
/index.php/utils.php/文件
用url编码绕过第二个
index.php/utils.php/文件?%73%68%6f%77%5f%73%6f%75%72%63%65=1

添加新评论