<?php
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
if( $IM ){
die('key is: '.$key);
}
?>
By analyzing the code, it can be known that as long as the input id meets the regular matching, the flag can be obtained.
Regular matching rules
- The delimiter // indicates the beginning and end of regular matching
- Dot (.) any single character
- The character before the asterisk (*) appears zero, one or more times
- The plus sign (+) The preceding character appears at least once
- The character in front of the question mark (?) can only appear once at most
- {n,m} The preceding character appears n~m times
- Backslash (\) escape character
- [az] Match a single character from az
- [[:punct:]] any punctuation
- /i Regular expression is not case sensitive
- \d matches numbers
- \b matches the beginning or end of a word
- \w matches multiple characters of numbers and letters underscores
/key . * key . {
4,7} key:\/ .\/ (.*key) [a-z] [[:punct:]]/i
key+任意单个字符+前面的字符出现零次或多次+key+任意单个字符(出现4~7次)+key:/+任意单个字符+/+(任意单个字符+前面的字符出现零次或多次+key)+a~z中任意一个+!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~.中任意一个符号
After knowing the above matching rules, you can write the payload.
http://target/web10/?id=keykeyaaaaakey:/a/keya!
