Web23
0x01 链接靶场,回显php源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-03 11:43:51 # @Last Modified by: h1xa # @Last Modified time: 2020-09-03 11:56:11 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ error_reporting(0); include('flag.php'); if(isset($_GET['token'])){ $token = md5($_GET['token']); if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){ if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){ echo $flag; } } }else{ highlight_file(__FILE__); } ?> 0x02 代码审计,代码大意为将get传参的token值进行md5加密,进行判断。若下标1的数+下标14+下标17/下标1===,则输出flag 尝试任意传参后使用burp抓包后,将传参值添加为payload后进行爆破 0x03 过滤响应包长度,查看另类响应包回显内容,获得flag ...