变量覆盖题目源码如下
<?phphighlight_file('source.txt');
echo "<br><br>";$flag = 'xxxxxxxx';
$msg_giveme = 'Give me the flag!';
$msg_getout = 'No this. Get out!';
if(!isset($_GET['flag']) && !isset($_POST['flag'])){exit($msg_giveme);
}if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){exit($msg_getout);
}foreach ($_POST as $key => $value) {$$key = $value;
}foreach ($_GET as $key => $value) {$$key = $$value;
}echo 'the flag is : ' . $flag;?>Give me the flag!
审计一波 思路是
需要flag=flag才能echo出来$flag
可是发现过滤了flag=flag
foreach ($_GET as $key => $value) {$$key = $$value;
}
value是遍历赋值给key
构造出flag1=flag 这时候就是
flag1
最后是echo出flag
构造出下一个payload flag=flag1
这样就是flag=flag 最后就能echo 出来flag
完整payload flag1=flag&flag=flag1