MRCTF2020-套娃

MRCTF2020-套娃

进入页面，查看源码：

//1st
$query = $_SERVER['QUERY_STRING'];

 if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
    die('Y0u are So cutE!');
}
 if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
    echo "you are going to the next ~";
}

了解一下QUERY_STRING：https://www.cnblogs.com/mitang/p/3874291.html

这个东西不会对字段进行url转码，可以通过urlencode绕过……

/^23333$/考察换行符绕过（话说今年也有

?b%20u%20p%20t=23333%0a

提示有secrettw.php，源码有jsfxxk，解密alert一个post me Merak

出现源码：

<?php
error_reporting(0); 
include 'takeip.php';
ini_set('open_basedir','.'); 
include 'flag.php';

if(isset($_POST['Merak'])){ 
    highlight_file(__FILE__); 
    die(); 
} 


function change($v){ 
    $v = base64_decode($v); 
    $re = ''; 
    for($i=0;$i<strlen($v);$i++){ 
        $re .= chr ( ord ($v[$i]) + $i*2 ); 
    } 
    return $re; 
}
echo 'Local access only!'."<br/>";
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission!  Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file'])); }
?>

file_get_contents用data传参，ip用head头client-ip绕过

根据change函数逆向出payload即可