一本单词书
www.zip
从admin_check.php
?php if (!isset($_SESSION["username"])) //isset函数是判断变量是否设置并且非NULL { header("Location: login.php"); } }
evil.php注释里藏的代码和源码拼接后得到
?php class Evil { public $file; //public定义一个公有类型,也就是定义一个变量 public $flag; public function __wakeup() { $content = file_get_contents($this-file); //file_get_contents函数是将文件打开后归入一个字符串
if (preg_match("/hgame/", $content)) //preg_match函数进行前后匹配,有点过于复杂,但是这个还是挺简单的,“//”中的hgame是被查找的单词,一旦出现就爆hacker
{ $this->flag = 'hacker!'; }
$this->flag = $content; } }
get.php(这里直接出现flag了)
?php session_start(); include 'admin_check.php'; include 'evil.php'; // flag is in /flag function decode(string $data): Array //创建数组,可多维
{ $result = []; $offset = 0; $length = \strlen($data); while ($offset < $length) { if (!strstr(substr($data, $offset), '|')) { return []; } $pos = strpos($data, '|', $offset); //$data为要查找的字符串,|是查找的字符,查找第一次出现的位置,$offset是从这个位置开始查找 $num = $pos - $offset; $varname = substr($data, $offset, $num); $offset += $num + 1; $dataItem = unserialize(substr($data, $offset)); $result[$varname] = $dataItem; $offset += \strlen(serialize($dataItem)); } return $result; } function loadSessionData(): Array { $filename = '/tmp/'.$_SESSION['unique_key'].'.session'; if (file_exists($filename)) { $str = file_get_contents($filename); return decode($str); } else { file_put_contents($filename, ''); return []; } } echo json_encode(loadSessionData());
login.php
?php session_start(); function alert($msg): string { return "alert('".$msg."')"; } function randomString($length): string { srand(time()); $s = ""; for ($i=0; $i<$length; $i++) { $s .= chr(random_int(32, 127)); } return $s; } if ($_SERVER['REQUEST_METHOD'] == 'POST') { if (!isset($_POST['username']) || !isset($_POST['password'])) { return; } if ($_POST['username'] != 'adm1n') { die(alert('username or password is invalid')); } if (is_numeric($_POST['password'])) { die(alert('密码不能设置为纯数字,我妈都知道( ̄△ ̄;)')); } else { if ($_POST['password'] == 1080) { $_SESSION['username'] = 'admin'; $_SESSION['unique_key'] = md5(randomString(8)); header('Location: index.php'); } else { die(alert('这你都能输错?')); } } } ?>
ping.php
?php echo "pong!"
save.php
?php session_start(); include 'admin_check.php'; function encode($data): string { $result = ''; foreach ($data as $k =$v) { $result .= $k . '|' . serialize($v); } return $result; } function saveSessionData() { $filename = "/tmp/".$_SESSION['unique_key'].'.session'; $data = json_decode(file_get_contents("php://input")); $str = encode($data); file_put_contents($filename, $str, FILE_APPEND); } if ($_SERVER['REQUEST_METHOD'] == 'POST') { saveSessionData(); } else { echo 'method not allowed'; }