[MRCTF2020]Ez_bypass
F12可以看到格式化好的源码
<?php #I put something in F12 for you include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo 'Good Job!'; highlight_file('flag.php'); die('By Retr_0'); } else { echo "can you think twice??"; } } else{ echo 'You can not get it !'; } } else{ die('only one way to get the flag'); } } else { echo "You are not a real hacker!"; } } else{ die('Please input first'); } } ?>
md5用数组绕,md5()函数无法操作数组,返回NULL,两个NULL相等
is_numeric()函数用1234567a绕。1234567a是字符串,但是弱比较的时候,1在前,php会将其整体转成数字,就可以通过比较了。
获取到flag