[鹤城杯 2021]Middle magic
<?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){
$aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);
if(preg_match('/pass_the_level_1#/', $aaa)){
echo "here is level 2";
if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
if ($_POST['admin'] == $_POST['root_pwd'])
echo '<p>The level 2 can not pass!</p>';
// START FORM PROCESSING
else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
echo "here is level 3,do you kown how to overcome it?";
if (isset($_POST['level_3'])) {
$level_3 = json_decode($_POST['level_3']);
if ($level_3->result == $result) {
echo "success:".$flag;
}
else {
echo "you never beat me!";
}
}
else{
echo "out";
}
}
else{
die("no");
}
// perform validations on the form data
}
else{
echo '<p>out!</p>';
}
}
else{
echo 'nonono!';
}
echo '<hr>';
}
?>
preg_match:没有匹配的就返回false
preg_replace:只能匹配一行的数据。
如果代码替换了abc,但后面又要求有abc,可以用%0a(换行符)
%0apass_the_level_1%23
%0a换行符,%23井号。
shal 哈希函数无法处理数组,会返回结果 null
admin[]=1&root_pwd[]=2 ---》null == null
json_decode : 解码 JSON 字符串
level_3='{"result":0}'
这里要猜测 $result 是一个字符串,这样 0=="abc",为true
<?php
$json='{"a":12345}';
$obj=json_decode($json);
print $obj->{'a'}; //12345
?> //个人理解:json_decode作用就是便于数据存储,没有其他作用
原文地址:https://blog.csdn.net/wangzhemvp/article/details/137879895
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!