topic
<?php
header("Content-Type:text/html;charset=utf-8");
highlight_file('02kbzf.php');
//引入名为 flag2.php 的文件。
include('f' . 'lag2' . '.php');
//初始化变量 $info 和 $req。
$info = "";
$req = [];
//读取文件 flag2.php 的内容到变量 $flag 中,使用 trim 函数去除读取结果的首尾空白字符
$flag = trim(@file_get_contents('fl' . 'a' . 'g2' . '.php'));
ini_set("display_error", false);
error_reporting(0);
//检查 GET 请求参数中是否存在名为 number 的字段,如果不存在,则输出一个提示信息和一个 HTTP 响应头 hint,并终止脚本的执行。
if(!isset($_GET['number'])){
header("hint:" . hash("md5", "2djwioadopkwapodkpawkpdw.txt"));
die("please refuel!!");
}
//对键值进行过滤处理,避免sql注入
foreach([$_GET, $_POST] as $global_var) {
foreach($global_var as $key => $value) {
$value = trim($value);
if(is_string($value)){
$req[$key] = addslashes($value);
}
}
}
//定义 is_hwhs_number 函数,用于判断一个数字是否为回文数字。
function is_hwhs_number($number) {
$number = strval($number);
$i = 0;
$j = strlen($number) - 1;
while($i < $j) {
if($number[$i] !== $number[$j]) {
return false;
}
$i++;
$j--;
}
return true;
}
//判断传入的 number 是否为数字类型/整数类型,如果是,则返回一个提示信息。
if(is_numeric($_REQUEST['number'])) {
$info="抱歉您输入的是数字";
}
elseif($req['number']!=strval(intval($req['number']))) {
$info = "数字必须等于其整数!!";
}
else {
//将整数化后的 number 和其反转后的值进行比较,如果不相同,则返回提示信息。
$value1 = intval($req["number"]);
$value2 = intval(strrev($req["number"]));
if($value1!=$value2=232){
$info="这不是回文数字!!";
}
else {
//判断 number 是否为回文数字,如果是,则返回一个提示信息,否则输出 flag2.php 文件的内容。
if(is_hwhs_number($req["number"])){
$info = "{$value1} 是一个回文数字!";
}
else {
var_dump($flag);
}
}
}
?>
function
Functions used in the code:
- trim: used to remove whitespace characters (including spaces, tabs, newlines, etc.) at both ends of a string.
- intval: [rounded]
- strval: Convert variable to string
- strrev: Used to flip a string and swap the beginning and end of the original string.
- addslashes: Used to escape strings and convert some special characters into their escaped forms to avoid SQL injection. For example, escape single quotes
'as\', escape double quotes"as\", escape backslashes\as\\, etc.
Part of the code explained
$value1 = intval($req["number"]);
$value2 = intval(strrev($req["number"]));
-
These two lines of code convert the string $req["number"] into an integer and store it in the $value1 and $value2 variables respectively.
-
Among them, the intval function converts a string to an integer and returns 0 if $req["number"] is not actually a numeric string.
-
In the second line of code, the strrev function reverses the string, that is, the order of the characters in the string is reversed, for example, the output of strrev('123') is '321'. Then convert the reversed string into an integer and store it in the $value2 variable.
-
The purpose of these two variables is to compare $req["number"] and its reversed string to see if they are equal. If they are equal, it means that $req["number"] is a palindrome number, otherwise it is not a palindrome number.
Ideas
It can be found from the audit code that number must meet the following three conditions before the flag can be output:
- number is not empty and cannot be a numeric number, but it must be a number before filtering
- number cannot be a palindrome number, it will be a palindrome number after filtering.
$value1!=$value2=232, limit number to 232
- The number must be a non-numeric value. Of course, the space character %20 and the null character %00 come to mind. Note that
is_numericthe function can only place the space character %20 after the numerical value. The space character %00 can be judged as a non-numeric value regardless of whether it is placed before or after it. So choose %00 here. - %0C: It is a kind of URL encoding. It represents an ASCII control character, that is, form feed (Form Feed)
\f. In PHP, %0C will be parsed into a character, which will be judged as not a palindrome number by the is_hwhs_number function, so it will enter the branch of var_dump and output the content of $flag.
POC
URL?number=%00%0C232
Get the flag as follows:
C:\phpstudy_pro\WWW\pass2\02kbzf.php:58:string '<?php
$flag ="xyctf6d4w68a4dwwa64dw";
?>' (length=44)