I include of spring and Autumn

Open the connection , The title prompt is a File Inclusion Vulnerability

First try to visit flag.php, What also have no  

Continue to look at flag Is it in the front directory , utilize include structure payload

url?path=../flag.php

Try another layer of directory , Nothing at all

So I have to change my mind

Come to the original page , Find out

allow_url_include = ON

It's time to take advantage of PHP flow input La

structure payload

url?path=php://input

Re pass post The ginseng

<?php echo system('ls');?>      

Check all the files in the current file directory ,

system Function is to execute system commands

ls yes Linux System commands

  Because I'm hot hackbar I don't know why it can't pass POST Pass no = Parameters of

So I used it fiddler The ginseng , It can also be used. burpsuite

ls -a yes Linux The order of , Follow ls almost

ls command - Linux Complete tutorial of commands (yiibai.com)

Click on execute

View the returned packets

Only found dle345aae.php This document can , Check this file again

Reuse file streams php://input, Again, this time it's used fiddler

Pass on POST, use Linux in cat The order of

cat command - Linux Complete tutorial of commands (yiibai.com)

Check the returned data again

  Get flag

Of course we know flag Name of file , You can also use another method to view flag

utilize PHP flow filter 

?path=php://filter/convert.base64-encode/resource= file a

It means that base64 View the file in the form of encoding a

  structure payload

url?path=php://filter/convert.base64-encode/resource=dle345aae.php

The obtained code is base64 Decoding can see flag 了