实验吧-你真的会PHP吗？writeup

首先fiddler抓包，在response header中发现hint:6c525af4059b4fe7d8c33a.txt,打开后找到index.php源码

<?php$info = ""; $req = [];$flag="xxxxxxxxxx";ini_set("display_error", false); error_reporting(0); if(!isset($_POST['number'])){   header("hint:6c525af4059b4fe7d8c33a.txt");   die("have a fun!!"); }foreach([$_POST] as $global_var) {     foreach($global_var as $key => $value) {         $value = trim($value);         is_string($value) && $req[$key] = addslashes($value); //若is_string($value)为真，则执行$req[$key] = addslashes($value)    } } function is_palindrome_number($number) {     $number = strval($number);     $i = 0;     $j = strlen($number) - 1;     while($i < $j) {         if($number[$i] !== $number[$j]) {             return false;         }         $i++;         $j--;     }     return true; } if(is_numeric($_REQUEST['number'])){  //这里判断的是未经trim()和addslashes()处理过的变量   $info="sorry, you cann't input a number!";}elseif($req['number']!=strval(intval($req['number']))){     $info = "number must be equal to it's integer!! ";  }else{     $value1 = intval($req["number"]);     $value2 = intval(strrev($req["number"]));       if($value1!=$value2){          $info="no, this is not a palindrome number!";     }else{          if(is_palindrome_number($req["number"])){              $info = "nice! {$value1} is a is_palindrome_number number!";           }else{             $info=$flag;          }     }}echo $info;

利用fiddler构造post请求：

在post的数据0e-0后面加一个空白字符（或者添加unicode编码过的空白字符如：%00，%20等）以构造字符串满足is_numeric($_REQUEST['number'])的要求，构造字符串0e-0绕过$req['number']!=strval(intval($req['number']))