Bugku CTF_Web——No one knows regex better than me
进入靶场
一段PHP代码
<?php
error_reporting(0);
$zero=$_REQUEST['zero'];
$first=$_REQUEST['first'];
$second=$zero.$first;
if(preg_match_all("/Yeedo|wants|a|girl|friend|or|a|flag/i",$second)){$key=$second;if(preg_match("/\.\.|flag/",$key)){die("Noooood hacker!");}else{$third=$first;if(preg_match("/\\|\056\160\150\x70/i",$third)){$end=substr($third,5);highlight_file(base64_decode($zero).$end);//maybe flag in flag.php}}
}
else{highlight_file(__FILE__);
}
Base64 解码 $zero:
base64_decode('ZmxhZw==')解码为flag。
拼接 $second:
$second = $zero . $first = "ZmxhZw==" . "xxxxx.php"。- 不触发敏感关键字正则匹配。
路径构造:
-
$third = $first = "xxxxx.php"。 -
$end = substr($third, 5) = ".php"。 -
拼接路径为
flag.php。 -
highlight_file('flag' . '.php'),即读取并高亮显示flag.php文件内容
构造payload
?zero=ZmxhZw==&first=abcd|.php
拿到flag
flag{139bd55892bb347a526e2a29422b48fb}
