萌新web15

 

All the methods we used are invaild, and notice that ';' is not matched.

But we still cannot use passthru() cuz '(' is filtered.

It is a little bit complicated so I exhibit the payload first.

 

The uppermost red stuff is the payload I constucted.

'$_POST[1]' is to receive the parameter in POST method, it is why we alter the GET to POST.

The echo() function can print the result whitin it in the screen, so the payload will show the below consequence without ``:

$_POST['cat config.php']

SMH, we didnt get the flag.

Why?

The reason is that 'cat config.php' didnt execute, therefore, we should use `` to encompass '$_POST[1]'.