一本单词书

www.zip

从admin_check.php

?php

if (!isset($_SESSION["username"]))    //isset函数是判断变量是否设置并且非NULL

{
header("Location: login.php");
}

}

evil.php注释里藏的代码和源码拼接后得到

?php

class Evil

{
public $file;  //public定义一个公有类型，也就是定义一个变量
public $flag;

public function __wakeup() {
$content = file_get_contents($this-file);  //file_get_contents函数是将文件打开后归入一个字符串

if (preg_match("/hgame/", $content)) //preg_match函数进行前后匹配，有点过于复杂，但是这个还是挺简单的，“//”中的hgame是被查找的单词，一旦出现就爆hacker
{ $this->flag = 'hacker!'; } 

$this->flag = $content; } }

get.php（这里直接出现flag了）

?php
session_start();
include 'admin_check.php';
include 'evil.php';

// flag is in /flag

function decode(string $data): Array    //创建数组，可多维
 {
    $result = [];
    $offset = 0;
    $length = \strlen($data);
    while ($offset < $length) {
        if (!strstr(substr($data, $offset), '|')) {
            return [];
        }
        $pos = strpos($data, '|', $offset);  //$data为要查找的字符串，|是查找的字符，查找第一次出现的位置，$offset是从这个位置开始查找
        $num = $pos - $offset;
        $varname = substr($data, $offset, $num);
        $offset += $num + 1;
        $dataItem = unserialize(substr($data, $offset));

        $result[$varname] = $dataItem;
        $offset += \strlen(serialize($dataItem));
    }
    return $result;
}

function loadSessionData(): Array {
    $filename = '/tmp/'.$_SESSION['unique_key'].'.session';
    if (file_exists($filename)) {
        $str = file_get_contents($filename);
        return decode($str);
    } else {
        file_put_contents($filename, '');
        return [];
    }
}

echo json_encode(loadSessionData());

?php
session_start();

function alert($msg): string {
return "alert('".$msg."')";

}

function randomString($length): string {
srand(time());
$s = "";
for ($i=0; $i<$length; $i++) {
$s .= chr(random_int(32, 127));
}
return $s;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (!isset($_POST['username']) || !isset($_POST['password'])) {
return;
}

if ($_POST['username'] != 'adm1n') {
die(alert('username or password is invalid'));
}

if (is_numeric($_POST['password'])) {
die(alert('密码不能设置为纯数字，我妈都知道(￣△￣；)'));
} else {
if ($_POST['password'] == 1080) {
$_SESSION['username'] = 'admin';
$_SESSION['unique_key'] = md5(randomString(8));
header('Location: index.php');
} else {
die(alert('这你都能输错？'));
}
}
}

?>

ping.php

?php
echo "pong!"

save.php

?php
session_start();
include 'admin_check.php';

function encode($data): string {
    $result = '';
    foreach ($data as $k =$v) {
        $result .= $k . '|' . serialize($v);
    }

    return $result;
}

function saveSessionData() {
    $filename = "/tmp/".$_SESSION['unique_key'].'.session';
    $data = json_decode(file_get_contents("php://input"));
    $str = encode($data);
    file_put_contents($filename, $str, FILE_APPEND);
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    saveSessionData();
} else {
    echo 'method not allowed';
}

Hgame

一本单词书

推荐阅读