找了一圈没发现有用信息用dirsearch扫描发现/robots.txt告诉我们/fAke_f1agggg.php访问后得到一个假flag,在响应中找到/fl4g.php,发现有三层绕过,构造payload绕过
?num=3e4&md5=0e215962017&get_flag=ls
发现fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag可能是flag,这里cat被限制了用ca\t绕过用${IFS}绕过空格然后得到flag
