BugkuCTF-WEB4 $what=$_POST['what']; echo $what; if($what=='flag') echo 'flag{****}'; 启动BurpSuite,进行抓包 改变请求头为POST, what=flag,即可获得