拐弯抹角

http://www.shiyanbar.com/ctf/1846
拐弯抹角
如何欺骗服务器，才能拿到Flag？
格式：CTF{}
解题链接： http://ctf5.shiyanbar.com/10/indirection/ 
解：

<?php // code by SEC@USTC echo '<html><head><meta http-equiv="charset" content="gbk"></head><body>'; $URL = $_SERVER['REQUEST_URI']; //echo 'URL: '.$URL.'<br/>'; $flag = "CTF{???}"; $code = str_replace($flag, 'CTF{???}', file_get_contents('./index.php')); $stop = 0; //ÕâµÀÌâÄ¿±¾ÉíÒ²ÓнÌѧµÄÄ¿µÄ //µÚÒ»£¬ÎÒÃÇ¿ÉÒÔ¹¹Ôì /indirection/a/../ /indirection/./ µÈµÈÕâÒ»ÀàµÄ //ËùÒÔ£¬µÚÒ»¸öÒªÇó¾ÍÊDz»µÃ³öÏÖ ./ if($flag && strpos($URL, './') !== FALSE){     $flag = "";     $stop = 1;        //Pass } //µÚ¶þ£¬ÎÒÃÇ¿ÉÒÔ¹¹Ôì \ À´´úÌæ±»¹ýÂ赀 / //ËùÒÔ£¬µÚ¶þ¸öÒªÇó¾ÍÊDz»µÃ³öÏÖ ../ if($flag && strpos($URL, '\\') !== FALSE){     $flag = "";     $stop = 2;        //Pass } //µÚÈý£¬ÓеÄϵͳ´óСдͨÓã¬ÀýÈç indirectioN/ //ÄãÒ²¿ÉÒÔÓÃ?ºÍ#µÈµÈµÄ×Ö·ûÈƹý£¬ÕâÐèҪͳһ½â¾ö //ËùÒÔ£¬µÚÈý¸öÒªÇó¶Ô¿ÉÒÔÓõÄ×Ö·û×öÁËÏÞÖÆ£¬a-z / ºÍ . $matches = array(); preg_match('/^([0-9a-z\/.]+)$/', $URL, $matches); if($flag && empty($matches) || $matches[1] != $URL){     $flag = "";     $stop = 3;        //Pass } //µÚËÄ£¬¶à¸ö / Ò²ÊÇ¿ÉÒ﵀ //ËùÒÔ£¬µÚËĸöÒªÇóÊDz»µÃ³öÏÖ // if($flag && strpos($URL, '//') !== FALSE){     $flag = "";     $stop = 4;        //Pass } //µÚÎ壬ÏÔÈ»¼ÓÉÏindex.php»òÕß¼õÈ¥index.php¶¼ÊÇ¿ÉÒ﵀ //ËùÒÔÎÒÃÇÏÂÒ»¸öÒªÇó¾ÍÊDZØÐë°üº¬/index.php£¬²¢ÇÒÒԴ˽áβ if($flag && substr($URL, -10) !== '/index.php'){     $flag = "";     $stop = 5;        //Not Pass } //µÚÁù£¬ÎÒÃÇÖªµÀÔÚindex.phpºóÃæ¼Ó.Ò²ÊÇ¿ÉÒ﵀ //ËùÒÔÎÒÃǽûÖ¹pºóÃæ³öÏÖ.Õâ¸ö·ûºÅ if($flag && strpos($URL, 'p.') !== FALSE){     $flag = "";     $stop = 6;        //Not Pass } //µÚÆߣ¬ÏÖÔÚÊÇ×î¹Ø¼üµÄʱ¿Ì //ÄãµÄ$URL±ØÐëÓë/indirection/index.phpÓÐËù²»Í¬ if($flag && $URL == '/indirection/index.php'){     $flag = "";     $stop = 7;        //Not Pass } if(!$stop) $stop = 8; echo 'Flag: '.$flag; echo '<hr />'; for($i = 1; $i < $stop; $i++)     $code = str_replace('//Pass '.$i, '//Pass', $code); for(; $i < 8; $i++)     $code = str_replace('//Pass '.$i, '//Not Pass', $code); echo highlight_string($code, TRUE); echo '</body></html>';

mixed str_replace ( mixed $search , mixed $replace , mixed $subject [, int &$count ] )
该函数返回一个字符串或者数组。该字符串或数组是将 subject 中全部的 search 都被 replace 替换之后的结果。


$code = str_replace($flag, 'CTF{???}', file_get_contents('./index.php'));所以从这句话就知道结果
在url后面添加/index.php
得到Flag: CTF{PSEDUO_STATIC_DO_YOU_KNOW}