要点
ccokie:czo1OiJhZG1pbiI7[admin]
preg_match的绕过:
preg_match()函数只能处理字符串,当传入的变量是数组是会返回false
implode()函数将数组元素组合成的字符串
explode把字符串打散为数组
代码
<!DOCTYPE html>
<html>
<head>
<title>x</title>
</head>
<body>
<?php
$role = "guest";
$flag = "flag{???}";
$auth = false;
if(isset($_COOKIE["role"])){
$role = unserialize(base64_decode($_COOKIE["role"]));
if($role === "admin"){
$auth = true;
}
else{
$auth = false;
}
}
else{
$role = base64_encode(serialize($role));
setcookie('role',$role);
}
if($auth){
if(isset($_POST['filename'])){
$filename = $_POST['filename'];
$data = $_POST['data'];
//当data是字符串判断是否含有[<>?]
if(preg_match('[<>?]', $data)) {
die('No No No!');
}
else {
//当data是数组
//implode()函数将数组元素组合成的字符串
$s = implode($data);
//preg_match 匹配上[<>?]是1跳过 将flag写入文件中
if(!preg_match('[<>?]', $s)){
$flag="None.";
}
$rand = rand(1,10000000);
$tmp="./uploads/".md5(time() + $rand).$filename;
file_put_contents($tmp, $flag);
echo "your file is in " . $tmp;
}
}
else{
echo "Hello admin, now you can upload something you are easy to forget.";
echo "<br />there are the source.<br />";
echo '<textarea rows="10" cols="100">';
echo htmlspecialchars(str_replace($flag,'flag{???}',file_get_contents(__FILE__)));
echo '</textarea>';
}
}
else{
echo "Sorry. You have no permissions.";
}
?>
</body>
</html>