Code audit

First, let's open the topic link ：http://1.15.152.9:1111/sre-winter/, Then you can see this page directly ：

Analyze the code ：

First say file_get_contents:

This function is the preferred method to read the entire file into a string . At the same time $filename Parameters are not just local file paths , It can also be a network path URL

So we look down

if(isset($resolve)&&(file_get_contents($resolve,'r')==="try hard to become a redrocker"))

Here we need to pass in a file with the content try hard to become a redrocker To get to the next step , It said file_get_contents() Medium $filename It can also be a URL, So we can use data:// Fake protocol to bypass

Besides, data:// Fake protocol :

effect ： since PHP>=5.2.0 rise , have access to data:// Data flow wrapper , To transfer data in the corresponding format . Can usually be used to perform PHP Code . Generally, we need to use base64 Code transmission

So use pseudo Protocol ：

?resolve=data://text/plain;base64,dHJ5IGhhcmQgdG8gYmVjb21lIGEgcmVkcm9ja2Vy
//dHJ5IGhhcmQgdG8gYmVjb21lIGEgcmVkcm9ja2Vy  Decoded as --->try hard to become a redrocker

Then we noticed unserialize(), This is a deserialization function , Then, if we pass a serialized object, that is, a string of strings, to $fxl, Then we will get an instance object ,wow! Fantastic! ！！

So the structure ：

obtain ：

O:3:"SRE":1:{
    s:8:"document";s:12:"printenv.php";}

therefore ：

?resolve=data://text/plain;base64,dHJ5IGhhcmQgdG8gYmVjb21lIGEgcmVkcm9ja2Vy&fxl=O:3:"SRE":1:{s:8:"document";s:12:"printenv.php";}

stay url After adding the above sentence, we get ：

Right click on the source , notice ：

Then let's analyze the source code , See what happens

First of all to see 4 individual if Then there is a eval That means we need to meet these four conditions at the same time ;

First of all if(isset($_GET['st'])) Sentenced to empty , If it is not empty, execute the following statement ;

And then there was if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['st'])) Filtered here data、filter、php Wait for the fake agreement , Prevent using pseudo protocol to read files ,

Next is if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['st'])) Here, it means that you can only pass functions without parameters ;

And finally if (!preg_match('/es|info|bin|hex|log|dec|oct|na|os|pi/i', $_GET['st'])) Many keywords are matched here , So many functions can't be used .

that ,

The first use of scandir() Function to get the files in the current directory and use print_r() Output function .localeconv() Function returns an array containing local numbers and currency information .

?st=print_r(scandir(current(localeconv())));

obtain

Found the file redrock.php, This should be flag.

So what should we do next ？

Look up the information and think hard for a long time , Suddenly thought of ：

We can use readfile Plus a random function array_rand(array_flip()) To read :

?st=readfile(array_rand(array_flip(scandir(current(localeconv())))));

array_flip()： Swap the keys and values of the array .

array_rand()： Take one or more cells out of an array at random , Constantly refreshing the access will continue to return randomly , In this topic scandir() The returned array is only 5 Elements , Refresh a few times and you can brush it out .

Just refresh a few more times , harmless ：

At last we get

And then I got it flag

flag{Congratulation!The task completed}