[网鼎杯 2020 朱雀组]phpweb
考察知识点:call_user_func()回调函数,反序列化
页面看不出啥,抓个包看看。
从包中我们可以看到,传递了两个参数,func和p。func的值是date,再结合p的值,我猜测这里是用了call_user_func()来回调函数,即将func的值当作函数名,p的值当作参数。那么我们直接使用system函数查看当前目录下的文件
回显Hacker,应该是被waf拦了,用highlight_file()看一下源码
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array"