SUCTF Anonymous WriteUp

Posted on Edited on In ,

source code

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

$MY = create_function("","die(`cat flag.php`);");
$hash = bin2hex(openssl_random_pseudo_bytes(32));
eval("function SUCTF_$hash(){"
    ."global \$MY;"
    ."\$MY();"
    ."}");
if(isset($_GET['func_name'])){
    $_GET["func_name"]();
    die();
}
show_source(__FILE__);

思路

匿名函数并不是真的没有名字。。。
%00lambda_%d

参考资料

https://www.jianshu.com/p/19e3ee990cb7
https://github.com/orangetw/My-CTF-Web-Challenges
http://php.net/manual/zh/book.phar.php
http://blog.jobbole.com/91920/
https://yq.aliyun.com/ziliao/55320
https://www.zhihu.com/question/23786410