Buuctf-Web-[Geek Challenge 2019]Havefun problem solution & summary of ideas

Start the drone

Problem solving process

Step 1 - View the source code

See the commented out php code here

     <!--
        $cat=$_GET['cat'];
        echo $cat;
        if($cat=='dog'){
    
    
            echo 'Syc{cat_cat_cat_cat}';
        }
        -->

PHP adopts the syntax of C language, but there are some differences.

$cat

$The meaning of the symbol: represents a custom ordinary variable
$ plus a string is a variable name or object name
Extension:
$$ The meaning of a> symbol: represents a variable variable, used to store the value of the variable

$_GET

$_GETThe variable is an array whose content is the variable name and value sent by HTTP GET method
$_GET is used to collect values ​​from the form with method="get". Messages sent from a form with GET 方法 are visible to everyone (will appear in the browser's address bar), and there is a limit on the amount of information sent (maximum 100 characters)
Note:
属于GET请求的有：from标签中method="get"
When using the $_GET variable, all variable names and values ​​will be displayed in the URL. So this method should not be used when sending passwords or other sensitive information. However, because the variables appear in the URL, you can bookmark the page. In some cases this is useful

echo $cat;

echo
There are two basic output methods in PHP: echo and print
The difference between echo and print:
1 , echo - can output one or more strings
2. print - only allows one string to be output, and the return value is always 1
Note:
echo is a language structure, which can be used without parentheses or with parentheses: echo or echo().

The sentence Syc{dog_dog_dog_dog} is guessed to be related to the backend.

This section of code reminds us that when cat=dog, something will be output.
Then the output at this time is likely to be related to the flag.
So let’s construct the payload first and output this to take a look.

Step 2 - Construct the payload

知识点：
1.Relative path and absolute path
2.Access path problem—with slash and without Difference with slash

Method 1: Construct the payload directly in the address bar of the web page

original address

Then add after the address

/?cat=dog

Because this is an absolute path, you need to add a slash yourself and then write the transfer parameter "?cat=dog" (you can use $_GET in the source code of the first step Yes, this is a GET request)

Method 2: Use HackBar to construct the payload

Click "Load URL" and box down the URL in the address bar

Enter

?cat=dog   //（?表示传参）

Then click "Execute"

get flag
flag{e391e786-e24f-4b19-8cd4-651300cb0200}

Summary of ideas

Question type:

1. Web page parameters

Steps to do the question:

1. View web page source code
2. Construct payload