###### tags: `DarkCTF` `Web` # PHP İnformation ### description - Let's test your php knowledge. - Flag Format: DarkCTF{} - http://php.darkarmy.xyz:7001 - 查看php段原始碼 ```php= <?php include "flag.php"; echo show_source("index.php"); if (!empty($_SERVER['QUERY_STRING'])) { $query = $_SERVER['QUERY_STRING']; $res = parse_str($query); if (!empty($res['darkctf'])){ $darkctf = $res['darkctf']; } } if ($darkctf === "2020"){ echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>"; } if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){ echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>"; } if (!empty($_SERVER['QUERY_STRING'])) { $query = $_SERVER['QUERY_STRING']; $res = parse_str($query); if (!empty($res['ctf2020'])){ $ctf2020 = $res['ctf2020']; } if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){ echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>"; } } if (isset($_GET['karma']) and isset($_GET['2020'])) { if ($_GET['karma'] != $_GET['2020']) if (md5($_GET['karma']) == md5($_GET['2020'])) echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>"; else echo "<h1 style='color: chartreuse;'>Wrong</h1></br>"; } ?> ``` ### flag - darkctf===2020 -  ### flag1 - `curl http://php.darkarmy.xyz:7001 --user-agent "2020_the_best_year_corona"` -  ### flag2 - encode`ZGFya2N0Zi0yMDIwLXdlYg==` - `http://php.darkarmy.xyz:7001/?ctf2020=WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09` -  ### flag3 - 網路上有解釋php bug`https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf` - http://php.darkarmy.xyz:7001/?karma=240610708&2020=QNKCDZO - 簡單來說就是php在判讀0e開頭的字串會視為同樣的值都等於0 -  - flag:`DarkCTF{very_nice_web_challenge_dark_ctf}`