[鹤城杯 2021]EasyP

1. <?php
2. include 'utils.php';
4. if (isset($_POST['guess'])) {
5.     $guess = (string) $_POST['guess'];
6.     if ($guess === $secret) {
7.         $message = 'Congratulations! The flag is: ' . $flag;
8.     } else {
9.         $message = 'Wrong. Try Again';
10.     }
11. }
13. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
14.     exit("hacker :)");
15. }
17. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
18.     exit("hacker :)");
19. }
21. if (isset($_GET['show_source'])) {
22.     highlight_file(basename($_SERVER['PHP_SELF']));
23.     exit();
24. }else{
25.     show_source(__FILE__);
26. }
27. ?>

复制代码

 这个题目出现了$_SERVER['PHP_SELF']
这个是你调用的脚本的路径
比如说这个题目它的值就是/index.php
如果你访问的是
http://1.14.71.254:28189/index.php/utils.php
那么它的值就会是/index.php/utils.php
而$_SEVER['REQUEST_URL']
它的值这个时候和$_SERVER['PHP_SELF']的值是一样的，
区别在于，如果你用get传参的时候$_SEVER['REQUEST_URL']是会加上那个参数的，而$_SERVER['PHP_SELF']不会。
 
然后是basename这个函数。
这个函数是返回最后面一个/后面的名字。

 
这个函数有一个可以利用的地方就是，如果传入的参数中出现了非ascii字符则会把它给丢弃。
 
最后是讲绕过正则

1. if<?php
2. include 'utils.php';
4. if (isset($_POST['guess'])) {
5.     $guess = (string) $_POST['guess'];
6.     if ($guess === $secret) {
7.         $message = 'Congratulations! The flag is: ' . $flag;
8.     } else {
9.         $message = 'Wrong. Try Again';
10.     }
11. }
13. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
14.     exit("hacker :)");
15. }
17. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
18.     exit("hacker :)");
19. }
21. if (isset($_GET['show_source'])) {
22.     highlight_file(basename($_SERVER['PHP_SELF']));
23.     exit();
24. }else{
25.     show_source(__FILE__);
26. }
27. ?> (preg_match('/show_source/',<?php
28. include 'utils.php';
30. if (isset($_POST['guess'])) {
31.     $guess = (string) $_POST['guess'];
32.     if ($guess === $secret) {
33.         $message = 'Congratulations! The flag is: ' . $flag;
34.     } else {
35.         $message = 'Wrong. Try Again';
36.     }
37. }
39. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
40.     exit("hacker :)");
41. }
43. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
44.     exit("hacker :)");
45. }
47. if (isset($_GET['show_source'])) {
48.     highlight_file(basename($_SERVER['PHP_SELF']));
49.     exit();
50. }else{
51.     show_source(__FILE__);
52. }
53. ?> $_SERVER['REQUEST_URI'])){<?php
54. include 'utils.php';
56. if (isset($_POST['guess'])) {
57.     $guess = (string) $_POST['guess'];
58.     if ($guess === $secret) {
59.         $message = 'Congratulations! The flag is: ' . $flag;
60.     } else {
61.         $message = 'Wrong. Try Again';
62.     }
63. }
65. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
66.     exit("hacker :)");
67. }
69. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
70.     exit("hacker :)");
71. }
73. if (isset($_GET['show_source'])) {
74.     highlight_file(basename($_SERVER['PHP_SELF']));
75.     exit();
76. }else{
77.     show_source(__FILE__);
78. }
79. ?> <?php
80. include 'utils.php';
82. if (isset($_POST['guess'])) {
83.     $guess = (string) $_POST['guess'];
84.     if ($guess === $secret) {
85.         $message = 'Congratulations! The flag is: ' . $flag;
86.     } else {
87.         $message = 'Wrong. Try Again';
88.     }
89. }
91. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
92.     exit("hacker :)");
93. }
95. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
96.     exit("hacker :)");
97. }
99. if (isset($_GET['show_source'])) {
100.     highlight_file(basename($_SERVER['PHP_SELF']));
101.     exit();
102. }else{
103.     show_source(__FILE__);
104. }
105. ?> <?php
106. include 'utils.php';
108. if (isset($_POST['guess'])) {
109.     $guess = (string) $_POST['guess'];
110.     if ($guess === $secret) {
111.         $message = 'Congratulations! The flag is: ' . $flag;
112.     } else {
113.         $message = 'Wrong. Try Again';
114.     }
115. }
117. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
118.     exit("hacker :)");
119. }
121. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
122.     exit("hacker :)");
123. }
125. if (isset($_GET['show_source'])) {
126.     highlight_file(basename($_SERVER['PHP_SELF']));
127.     exit();
128. }else{
129.     show_source(__FILE__);
130. }
131. ?> <?php
132. include 'utils.php';
134. if (isset($_POST['guess'])) {
135.     $guess = (string) $_POST['guess'];
136.     if ($guess === $secret) {
137.         $message = 'Congratulations! The flag is: ' . $flag;
138.     } else {
139.         $message = 'Wrong. Try Again';
140.     }
141. }
143. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
144.     exit("hacker :)");
145. }
147. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
148.     exit("hacker :)");
149. }
151. if (isset($_GET['show_source'])) {
152.     highlight_file(basename($_SERVER['PHP_SELF']));
153.     exit();
154. }else{
155.     show_source(__FILE__);
156. }
157. ?> exit("hacker<?php
158. include 'utils.php';
160. if (isset($_POST['guess'])) {
161.     $guess = (string) $_POST['guess'];
162.     if ($guess === $secret) {
163.         $message = 'Congratulations! The flag is: ' . $flag;
164.     } else {
165.         $message = 'Wrong. Try Again';
166.     }
167. }
169. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
170.     exit("hacker :)");
171. }
173. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
174.     exit("hacker :)");
175. }
177. if (isset($_GET['show_source'])) {
178.     highlight_file(basename($_SERVER['PHP_SELF']));
179.     exit();
180. }else{
181.     show_source(__FILE__);
182. }
183. ?> :)");}

复制代码

 
 这个正则的绕过方法就是利用特性来绕过，可以用
　[
 <?php
include 'utils.php';

if (isset($_POST['guess'])) {
    $guess = (string) $_POST['guess'];
    if ($guess === $secret) {
        $message = 'Congratulations! The flag is: ' . $flag;
    } else {
        $message = 'Wrong. Try Again';
    }
}

if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
    exit("hacker :)");
}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
    exit("hacker :)");
}

if (isset($_GET['show_source'])) {
    highlight_file(basename($_SERVER['PHP_SELF']));
    exit();
}else{
    show_source(__FILE__);
}
?> (空格)
 +<?php
include 'utils.php';

if (isset($_POST['guess'])) {
    $guess = (string) $_POST['guess'];
    if ($guess === $secret) {
        $message = 'Congratulations! The flag is: ' . $flag;
    } else {
        $message = 'Wrong. Try Again';
    }
}

if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
    exit("hacker :)");
}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
    exit("hacker :)");
}

if (isset($_GET['show_source'])) {
    highlight_file(basename($_SERVER['PHP_SELF']));
    exit();
}else{
    show_source(__FILE__);
}
?> 　
 .
上面那几个字符任何一个都行，都可以被处理成_

1. if<?php
2. include 'utils.php';
4. if (isset($_POST['guess'])) {
5.     $guess = (string) $_POST['guess'];
6.     if ($guess === $secret) {
7.         $message = 'Congratulations! The flag is: ' . $flag;
8.     } else {
9.         $message = 'Wrong. Try Again';
10.     }
11. }
13. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
14.     exit("hacker :)");
15. }
17. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
18.     exit("hacker :)");
19. }
21. if (isset($_GET['show_source'])) {
22.     highlight_file(basename($_SERVER['PHP_SELF']));
23.     exit();
24. }else{
25.     show_source(__FILE__);
26. }
27. ?> (preg_match('/utils\.php\/*$/i',<?php
28. include 'utils.php';
30. if (isset($_POST['guess'])) {
31.     $guess = (string) $_POST['guess'];
32.     if ($guess === $secret) {
33.         $message = 'Congratulations! The flag is: ' . $flag;
34.     } else {
35.         $message = 'Wrong. Try Again';
36.     }
37. }
39. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
40.     exit("hacker :)");
41. }
43. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
44.     exit("hacker :)");
45. }
47. if (isset($_GET['show_source'])) {
48.     highlight_file(basename($_SERVER['PHP_SELF']));
49.     exit();
50. }else{
51.     show_source(__FILE__);
52. }
53. ?> $_SERVER['PHP_SELF']))<?php
54. include 'utils.php';
56. if (isset($_POST['guess'])) {
57.     $guess = (string) $_POST['guess'];
58.     if ($guess === $secret) {
59.         $message = 'Congratulations! The flag is: ' . $flag;
60.     } else {
61.         $message = 'Wrong. Try Again';
62.     }
63. }
65. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
66.     exit("hacker :)");
67. }
69. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
70.     exit("hacker :)");
71. }
73. if (isset($_GET['show_source'])) {
74.     highlight_file(basename($_SERVER['PHP_SELF']));
75.     exit();
76. }else{
77.     show_source(__FILE__);
78. }
79. ?> {<?php
80. include 'utils.php';
82. if (isset($_POST['guess'])) {
83.     $guess = (string) $_POST['guess'];
84.     if ($guess === $secret) {
85.         $message = 'Congratulations! The flag is: ' . $flag;
86.     } else {
87.         $message = 'Wrong. Try Again';
88.     }
89. }
91. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
92.     exit("hacker :)");
93. }
95. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
96.     exit("hacker :)");
97. }
99. if (isset($_GET['show_source'])) {
100.     highlight_file(basename($_SERVER['PHP_SELF']));
101.     exit();
102. }else{
103.     show_source(__FILE__);
104. }
105. ?> <?php
106. include 'utils.php';
108. if (isset($_POST['guess'])) {
109.     $guess = (string) $_POST['guess'];
110.     if ($guess === $secret) {
111.         $message = 'Congratulations! The flag is: ' . $flag;
112.     } else {
113.         $message = 'Wrong. Try Again';
114.     }
115. }
117. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
118.     exit("hacker :)");
119. }
121. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
122.     exit("hacker :)");
123. }
125. if (isset($_GET['show_source'])) {
126.     highlight_file(basename($_SERVER['PHP_SELF']));
127.     exit();
128. }else{
129.     show_source(__FILE__);
130. }
131. ?> <?php
132. include 'utils.php';
134. if (isset($_POST['guess'])) {
135.     $guess = (string) $_POST['guess'];
136.     if ($guess === $secret) {
137.         $message = 'Congratulations! The flag is: ' . $flag;
138.     } else {
139.         $message = 'Wrong. Try Again';
140.     }
141. }
143. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
144.     exit("hacker :)");
145. }
147. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
148.     exit("hacker :)");
149. }
151. if (isset($_GET['show_source'])) {
152.     highlight_file(basename($_SERVER['PHP_SELF']));
153.     exit();
154. }else{
155.     show_source(__FILE__);
156. }
157. ?> <?php
158. include 'utils.php';
160. if (isset($_POST['guess'])) {
161.     $guess = (string) $_POST['guess'];
162.     if ($guess === $secret) {
163.         $message = 'Congratulations! The flag is: ' . $flag;
164.     } else {
165.         $message = 'Wrong. Try Again';
166.     }
167. }
169. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
170.     exit("hacker :)");
171. }
173. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
174.     exit("hacker :)");
175. }
177. if (isset($_GET['show_source'])) {
178.     highlight_file(basename($_SERVER['PHP_SELF']));
179.     exit();
180. }else{
181.     show_source(__FILE__);
182. }
183. ?> exit("hacker<?php
184. include 'utils.php';
186. if (isset($_POST['guess'])) {
187.     $guess = (string) $_POST['guess'];
188.     if ($guess === $secret) {
189.         $message = 'Congratulations! The flag is: ' . $flag;
190.     } else {
191.         $message = 'Wrong. Try Again';
192.     }
193. }
195. if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
196.     exit("hacker :)");
197. }
199. if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
200.     exit("hacker :)");
201. }
203. if (isset($_GET['show_source'])) {
204.     highlight_file(basename($_SERVER['PHP_SELF']));
205.     exit();
206. }else{
207.     show_source(__FILE__);
208. }
209. ?> :)");}

复制代码

 
这个正则是匹配末尾有没有utils.php/
绕过办法很简单
因为后面要调用basename，所以可以利用中文来绕过，中文不属于ascii编码中的，所以可以payload

 

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！