Start the drone
Problem solving process
Step 1 - View the source code
See the commented out php code here
<!--
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
echo 'Syc{cat_cat_cat_cat}';
}
-->
PHP adopts the syntax of C language, but there are some differences.
$cat
$
The meaning of the symbol: represents a custom ordinary variable
$
plus a string is a variable name or object name
Extension:
$$
The meaning of a> symbol: represents a variable variable, used to store the value of the variable$_GET
$_GET
The variable is an array whose content is the variable name and value sent by HTTP GET method
$_GET
is used to collect values from the form with method="get". Messages sent from a form withGET 方法
are visible to everyone (will appear in the browser's address bar), and there is a limit on the amount of information sent (maximum 100 characters)
Note:
属于GET请求的有:from标签中method="get"
When using the $_GET variable, all variable names and values will be displayed in the URL. So this method should not be used when sending passwords or other sensitive information. However, because the variables appear in the URL, you can bookmark the page. In some cases this is usefulecho $cat;
echo
There are two basic output methods in PHP:echo
and
The difference between echo and print:
1 , echo - can output one or more strings
2. print - only allows one string to be output, and the return value is always 1
Note:
echo is a language structure, which can be used without parentheses or with parentheses: echo or echo().The sentence Syc{dog_dog_dog_dog} is guessed to be related to the backend.
This section of code reminds us that when cat=dog, something will be output.
Then the output at this time is likely to be related to the flag.
So let’s construct the payload first and output this to take a look.
Step 2 - Construct the payload
知识点:
1.Relative path and absolute path
2.Access path problem—with slash and without Difference with slash
Method 1: Construct the payload directly in the address bar of the web page
original address
Then add after the address
/?cat=dog
Because this is an absolute path, you need to add a slash yourself and then write the transfer parameter "?cat=dog" (you can use
$_GET
in the source code of the first step Yes, this is a GET request)
Method 2: Use HackBar to construct the payload
Click "Load URL" and box down the URL in the address bar
Enter
?cat=dog //(?表示传参)
Then click "Execute"
get flag
flag{e391e786-e24f-4b19-8cd4-651300cb0200}
Summary of ideas
Question type:
- Web page parameters
Steps to do the question:
- View web page source code
- Construct payload