目录
题目
<?php
require __DIR__.'/flag.php';
if (isset($_POST['answer'])){
$number = $_POST['answer'];
if (noother_says_correct($number)){
echo $flag;
} else {
echo "Sorry";
}
}
function noother_says_correct($number)
{
$one = ord('1'); //49
$nine = ord('9'); //57
# Check all the input characters!
for ($i = 0; $i < strlen($number); $i++)
{
# Disallow all the digits!
$digit = ord($number{$i});
if ( ($digit >= $one) && ($digit <= $nine) )
{
# Aha, digit not allowed!
return false;
}
}
# Allow the magic number ...
return ($number == "3735929054"); //此处原题无括号包裹
}
highlight_file(__FILE__);
?>
分析
if (isset($_POST['answer']))
POST一发answer
if (noother_says_correct($number)){
echo $flag;
打印flag的条件是noother_says_correct函数返回true
function noother_says_correct($number)
{
$one = ord('1'); //49
$nine = ord('9'); //57
# Check all the input characters!
for ($i = 0; $i < strlen($number); $i++)
{
# Disallow all the digits!
$digit = ord($number{$i});
if ( ($digit >= $one) && ($digit <= $nine) )
{
# Aha, digit not allowed!
return false;
}
}
# Allow the magic number ...
return ($number == "3735929054"); //此处原题无括号包裹
}
该函数对POST的字符串每个字符做检测,如果有一个字符的ASCII码在[49,57]内则返回false,即输入的字符串不能含有1-9数字
返回true的条件是POST的字符串与3735929054等值比较返回true
综合起来后,思路为输入一个不含1-9数字的,与3735929054等值比较返回true的字符串
可以利用弱类型比较和进制转换,找到这么个字符串
知识点
进制
3735929054可以转化为不含1-9的16进制即0xdeadc0de
弱类型比较
challenge2做过介绍,不多说
解法
answer=0xdeadc0de