###### tags: `DarkCTF` `Web` # Web/Source ### description - Don't know source is helpful or not !! - http://web.darkarmy.xyz - file: https://mega.nz/file/K011ACaL#S6kfjaYxN_cOcYHYzBKpKKsqAf3dh7PS0-lKFIuGjZA - 查看原始碼 ```php= <html> <head> <title>SOURCE</title> <style> #main { height: 100vh; } </style> </head> <body><center> <link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css"> <?php $web = $_SERVER['HTTP_USER_AGENT']; if (is_numeric($web)){ if (strlen($web) < 4){ if ($web > 10000){ echo ('<div class="w3-panel w3-green"><h3>Correct</h3> <p>darkCTF{}</p></div>'); } else { echo ('<div class="w3-panel w3-red"><h3>Wrong!</h3> <p>Ohhhhh!!! Very Close </p></div>'); } } else { echo ('<div class="w3-panel w3-red"><h3>Wrong!</h3> <p>Nice!!! Near But Far</p></div>'); } } else { echo ('<div class="w3-panel w3-red"><h3>Wrong!</h3> <p>Ahhhhh!!! Try Not Easy</p></div>'); } ?> </center> <!-- Source is helpful --> </body> </html> ``` - 關鍵行 - web的user-agent長度要為小於4的值 - 但值要大於10000 ```php= $web = $_SERVER['HTTP_USER_AGENT']; if (is_numeric($web)){ if (strlen($web) < 4){ if ($web > 10000){ ``` - 利用科學記號法1e(?)，代表1乘10的?次方 - ex:1e6 = 1000000，5e3 = 5000 - 直接curl -  - flag:`darkCTF{changeing_http_user_agent_is_easy}`