實驗吧-你真的會PHP嗎
阿新 • • 發佈:2018-12-17
標題:你真的會PHP嗎?
解題連結: http://ctf5.shiyanbar.com/web/PHP/index.php
開啟連結,檢視response:
HTTP/1.1 200 OK Date: Mon, 29 Oct 2018 11:13:57 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 X-Powered-By: PHP/5.3.29 hint: 6c525af4059b4fe7d8c33a.txt Content-Length: 12 Connection: close Content-Type: text/html have a fun!!
看到hint頭,根據提示開啟
http://ctf5.shiyanbar.com/web/PHP/6c525af4059b4fe7d8c33a.txt
獲取程式碼:
<?php $info = ""; $req = []; $flag="xxxxxxxxxx"; ini_set("display_error", false); error_reporting(0); if(!isset($_POST['number'])){ header("hint:6c525af4059b4fe7d8c33a.txt"); die("have a fun!!"); } foreach([$_POST] as $global_var) { foreach($global_var as $key => $value) { $value = trim($value); is_string($value) && $req[$key] = addslashes($value); } } function is_palindrome_number($number) { $number = strval($number); $i = 0; $j = strlen($number) - 1; while($i < $j) { if($number[$i] !== $number[$j]) { return false; } $i++; $j--; } return true; } if(is_numeric($_REQUEST['number'])){ $info="sorry, you cann't input a number!";//要求1:不能是數字 }elseif($req['number']!=strval(intval($req['number']))){ $info = "number must be equal to it's integer!! "; }else{ $value1 = intval($req["number"]); $value2 = intval(strrev($req["number"])); if($value1!=$value2){ $info="no, this is not a palindrome number!";//要求2:字串正序和倒序轉換為數字要相等 }else{ if(is_palindrome_number($req["number"])){ $info = "nice! {$value1} is a palindrome number!"; //要求3:不能是迴文 }else{ $info=$flag; } } } echo $info;
依據程式碼分析:
要求1:不能輸入數字
要求2:字串正序和倒序轉換為數字要相等
要求3:不能是迴文
解題1:
intval()最大的值取決於作業系統。 32 位系統最大帶符號的 integer 範圍是 -2147483648 到 2147483647
加上空格%20
number=2147483647%00
number=2147483647%20
解題2:
number=0e-0%00
number=0e-0%20