Bugku_never give up

Open the title, only one line is displayed, never never never give up !!!there is no other information.
Capture the packet and replay it, and then there is an HTML comment.

Then visit 1p.html, check the source code of the webpage, and find a URL-encoded string, which is obtained after decoding

<!--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ==-->" 

Then base64 decode it and then url decode it to get the following code:

<?php
if(!$_GET['id'])
{
    
    
	header('Location: hello.php?id=1');
	exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
    
    
	echo 'no no no no no no no';
	return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
    
    
	require("f4l2a3g.txt");
}
else
{
    
    
	print "never never never give up !!!";
}


?>

• Pass parameters to id, a, b through get
• The first if: cannot be contained in a‘.’
• The value of $data is the content read from a file. But a is passed in through the GET parameter of the url, not the file. At this time, it can be bypassed through php://input. The following is an example of this method:

<?php


$a=$_GET['a'];


$data = @file_get_contents($a,'r');
if($data=="abd" )
{
    
    
	echo 'you are so smart';
	
}
else
{
    
    
	print "never never never give up !!!";
}


?>

• The value of id needs to ask 0, but it is not possible to directly pass in 0. Here you can pass in characters/strings or symbols to bypass
• The eregi() function has a null character truncation vulnerability, that is, when the regular expression in the parameter or the string to be matched encounters a null character, the following data will be truncated and discarded. The string to be matched (the second parameter) in the source code has been determined to be "1114", and the regular expression (the first parameter) consists of "111" connected to the first character of b. If substr($b,0, 1) = "\x00", which means that "1114" and "111" are matched.

After knowing the above, the payload can be constructed:

http://target/test/hello.php?id=w&b=%001234567&a=php://input

The most annoying is! ! ! ! ! !

You can directly access this file to get the flag. . . . .