[ACTF2020 Freshmen Competition] BackupFile
Table of contents
topic
answer
open into range
tell us to try to find the source file
View the source code of the web page:
found nothing
According to the topic prompt
According to the topic analysis, we can try to blast the directory to get some information, or try to visit /index.php to see if there is a response, and whether there is a page backup file
Try to access /index.php
Found to be accessible normally.
Visit /flag.php, whether it exists
It is found that it can be accessed normally, but there is no echo, indicating that there are certain conditions or filtering information in the source code.
Next, we continue to analyze, the source code backup file of the website, guess whether it is /index.php.bak, try to access
It is found that the information about downloading the backup file appears
After downloading locally, open it with a text editor
Open and find the source code
Through the analysis of the source code, we can see that among the passed key parameters, there is a PHP weak comparison (==), and the key point is the is_numeric function
There are two comparison symbols == and === in php
=== When comparing, it will first judge whether the types of the two strings are equal, and then compare.
== When comparing, it will first convert the type of the string to the same, and then compare
"=="类型转换的规则
1、字符串和数字比较,字符串会被转换成数字。
如:"root"==0(true)//root被转换成数字,由于root是字符串,转换失败,int(root)=0,所以比较结果是true。
2、混合字符串转换成数字,看字符串的第一个。
如:"123root"==123 "2goodyou"==2
The is_numeric() function is used to detect whether a variable is a number or a string of numbers. Returns TRUE if the specified variable is a number and a string of numbers, otherwise returns FALSE.
Look at the string given by the str variable in the source code, and output the if control statement,
According to the above conclusions, we can construct the payload as:
/index.php?key=123
Get the flag of this question, the flag is:
flag{73b7db44-cd8f-4f2c-958f-9492738f0fdd}
If the article is inappropriate, criticism and correction are welcome!