<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 21:39:27
# @link: https://ctfer.com
*/
include("flag.php");
$_GET?$_GET=&$_POST:'flag';
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?>
$_GET?$_GET=&$_POST:'flag'
$_GET存在,则_GET=&$_POST否则$_GET值为'flag‘
分析代码:
有很多理解方式和解决方式
法一:
GET传入值(随便什么都可以)
POST传入HTTP_FLAG=flag
让后面两行失效,直接跳到最后判定
这时,GET=POST
GET ?111
POST HTTP_FLAG=flag
法二:
GET传入值(随便什么都可以)
POST传入flag=flag
HTTP_FLAG=flag
让SERVER失效,进行最后判定
SERVER暂时不知道怎么传参