<?php
highlight_file(__FILE__);
include($_POST["flag"]);
//flag in /var/www/html/flag.php; 直接读flag.php有WAF
先读index.php:
<?php
$path = $_POST["flag"];
if (strlen(file_get_contents('php://input')) < 800 && preg_match('/flag/', $path)) {
echo 'nssctf waf!';
} else {
@include($path);
}
?>直接用超过800的垃圾数据填充即可绕过WAF