What I am giving here is the unfamiliar knowledge points involved, combined with the detailed source code and answers in the linked article
https://blog.csdn.net/xiaorouji/article/details/82292233
extract variable coverage
Construction?flag=1&content=1
strcmp compares strings
The title has already explained the strcmp function:
if (strcmp($_GET['a'], $flag) == 0) //If str1 is less than str2, return <0;
if
str1 is greater than str2, return> 0; if they are equal, return 0. //Compare two strings (case sensitive)
Here, the strcmp function cannot be used to compare the input parameters of the function? a[]=0. Flag out
urldecode secondary encoding bypass
The article is written in detail. After passing in, the url encoding is decoded, and then the decode is decoded again.
Directly pass in the url encoding to bypass the detection. After decoding, it meets the if condition and gets the flag.
For example, the structure %2528
%25 is% after the first decoding, which constitutes %61, and the decoding is again obtained a.
?id=h%2561ackerDJ
eregi函数就是在字符串中进行匹配,如果直接上传违规参数,就退出
md5() function
It is also a typical md5 function vulnerability, but there is a pitfall here is that its md5 judgment is three equal signs, so the beginning of 0e cannot be bypassed, only an array can be used
直接构造两个不同的数组
?username[]=111&password[]=222
If it is == sign then construct
md5('240610708')
//0e462097431906509019562988736854.
md5('QNKCDZO')
//0e830400451993494058024219903391
Array NULL bypass
The strpos function
finds the first occurrence of "php" in the string: (case sensitive)
<?php
echo strpos("You love php, I love php too!","php");
?>
Related functions:
strrpos()-find the position of the last occurrence of a string in another string (case sensitive)
stripos()-find the position of the first occurrence of a string in another string (case insensitive) )
Strripos()-Find the position of the last occurrence of a string in another string (not case sensitive)
Construct an empty array to bypass
password[1]=4
Weak type integer size comparison bypass
is_numeric: Check if it is a number,
use %00 to bypass, and the number check
The sha() function is relatively bypassed
The sha1() function is used to calculate the SHA-1 hash of a string.
Array bypass;
construction?name[]=11&password[]=222
md5 encryption equal bypass
Weak type, upload array
Hexadecimal and digital comparison
First analyze the code. The function requires that the variable temp cannot have a number between 1 and 9. Finally, it requires that temp cannot have a number between 1-9. Finally, it requiresT E m P is not able to exist in . 1 . 9 of between a few words , the most after , and to request temp = 3735929054;
it would have been contradictory,but will at the transcoding php hexadecimal to decimal conversionso. Convert
3735990554 to hexadecimal as 0xdeadc0de, remember to bring 0x;
ereg regular %00 truncated
https://blog.csdn.net/dyw_666666/article/details/85388125
is written here very clearly
ps:
Method two uses scientific counting to resolve the conflict between digits and sizes.
1e5 means 10 to the 5th power of
course You can also upload an array function and judge it as null if it can’t be processed, null == false.