According to the prompt, it can be thought that the backup file was leaked. A downloadable file of index.php.bak was obtained through background scanning, and the source code of the index homepage was opened.
<?php
include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>
- The first $str: intercept the url from? Content to the end
- The second $str: intercept the intercepted content again, starting from the position 1, and the purpose is to remove the "?"
- The third $str: Process the str after the second step processing again, and replace the key in str with empty
- parse_str()
Since the str_replace function will filter the key, we can double-write to bypass the
payload: http://target/web16/?kkeyey1[]=s878926199a&kekeyy2[]=s155964671a
MD5 bypass can be seen here: MD5 bypass