Exploit Exercises – nebula level09
flag09 reads the file supplied as arg1. We also need to supply a second arg but it is not used. If we do not supply arg2, an error is thrown but file specified by arg1 is still read.

After trial & error, found the correct syntax that flag09 accepts.
• [email $phpinfo()]
This makes flag09 treat the phpinfo() as a valid variable – but throws an error.

Success – 0.1 – found correct syntax to get phpinfo() executed ->
• [email {${phpinfo()}}]

Success – using php’s exec() method to execute getflag/id
• [email {${exec(id)}}]
+++++