首页有两个下载链接,其中"download.php?url=Y2hvdWJhZ3VhaS5tcDM="的base64解码后内容是"choubaguai.mp3",将"index.php"、"download.php"编码传入url,"index.php"不能下载,"download.php"内容如下:

<?php
error_reporting(0);
include("hereiskey.php");
$url=base64_decode($_GET[url]);
if( $url=="hereiskey.php" || $url=="choubaguai.mp3" || $url=="One Love.mp3" || $url=="download.php"){
    $file_size = filesize($url);
    header ( "Pragma: public" );
    header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
    header ( "Cache-Control: private", false );
    header ( "Content-Transfer-Encoding: binary" );
    header ( "Content-Type:audio/mpeg MP3");
    header ( "Content-Length: " . $file_size);
    header ( "Content-Disposition: attachment; filename=".$url);
    echo(file_get_contents($url));
    exit;
}
else {
    echo "Access Forbidden!";
}
?>

得知"hereiskey.php",同样编码下载,得到flag