flag In the variable ! <?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}
?>preg_match:PHP: preg_match - Manual
$GLOBALS — 引用全局作用域中可用的全部变量
$a=hello word
$args=a
$$args=hello word ;
构造url:?args=GLOBALS
