The first question no echo type
Cmd exec function parameter value will herein as a command, without any limitations and filtered.
For this no echo problem, we can choose redirection operator> to view and access to information.
Let's use cmd = ls> info then view the info to get the files in the current directory, as follows:
find flag.php, we again use the redirection operator to write the contents of a file, the file can then read that use cmd = cat fl *> info, go again to view the page.
The second type of question length limit
Topic page address is as follows:
Check source code, PHP code is found, reading it. Enter the length limit of no more than 5:00, enter the command execution. View the path information, go to the:
Because the input length limitations, we can want to enter one by one into a document, spell cat flag.php to in this document as follows:
Next, use *> f, namely cat flag .php command (as would match the current path so that the character information herein is equivalent to cat flag.php), and the information is written f, it can be read as follows:
The third title suffix restrictions
Source useless page, the home page read as follows:
parameters are input path suffix restrictions, introduced here under the regular expression / m
so we can match newline% 0a be bypassed, so that if we need to determine is false, it executed else statement. Then we need to meet regular suffix limit expression that is input to the first end of the first line of .txt, then use% 0a bypass, this is what we want to enter the contents of the cat / flag.
Together is x.txt% 0acat / flag *, as follows:
Fourth Question no letter shell
Home read as follows:
filtered pure letter,
we can take advantage of exclusive OR operation to build what we need, constructed as follows:
=(%9e%8c%8c%9a%8d%8b^%ff%ff%ff%ff%ff%ff);KaTeX parse error: Expected group after '_' at position 1: _̲__=
($ ___ [0]);
this thing can help us get shell.
Then call the function we need to read a file on it, post a 0 call readfile, as follows: