This question is not too difficult to say, but the idea must be flexible, flexible use of the source code to something. Look at the source code.
We must first understand the effect.
This generally means that the source code, the value read on the first flag $ flag inside.
Later accept values you entered is judged (blacklist). To tell the truth behind this question is to get rid of eval can do. Since this question the value of the flag inside into a variable, then we need to be output on the line! !
Of course, there is the waf.
We look at it
The basic waf in there. Others are easy to understand, is that get_defined_functions () a little bit different.
Checked roughly meaning that the current process output example of all the variables / constants / module / function / class. The machine experiment a bit. .
A little more, this is to ensure that you have a lot of built-in functions are impossible. .
Do not worry, because that foreachis used to determine whether the input is wrong. .
You can look at the initial value of $ who, after base64 decoding discovery flag, and $ flag variable that we want to read!
So we can try dual variable, $$, beginning construction is? Cmd = $ {base64_decode ($ who)}, but has also been found to underline the filter! ! ! Later it was found in the source code is not given us a base64 decoding function it 233
So configured? Cmd = $ {helper ($ who)}
Successfully read flag
Of course, there are ways to perform the command, my idea is to use a variable to receive the value of the base64 decoded, and then based on this variable to call the function
payload?cmd=Mikasa;$a=helper('cGhwaW5mbw==');$a()
The successful implementation of phpinfo ()
The latter generally need to use helper function