知识点:
正则表达式绕过(+)
__wakeup()绕过方法
源代码提示:
hash解码得到sign=kkkkkk01
构造:
?key=111&hash=adaa10eef3a02754da03b5a3a6f40ae6
得到: Gu3ss_m3_h2h2.php
<?php
class Demo {
private $file = 'Gu3ss_m3_h2h2.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'Gu3ss_m3_h2h2.php') {
//the secret is in the f15g_1s_here.php
$this->file = 'Gu3ss_m3_h2h2.php';
}
}
}
if (isset($_GET['var'])) {
$var = base64_decode($_GET[&#