IJCTF 2021 Memory

https://gist.github.com/as3617/fa06307b5c1bcc002e3b646bfcc3500d
exploit code

IJCTF 2021 - memory writeup

1. disabled_functions are except putenv, mail
2. clean_up option for session is off
3. When the UPLOAD_PROGRESS meets clean_up option as off that session file will have the path for the uploaded file.
4. PHP clean tmp file at the last of execution.
   • So, if PHP gets crash, the tmp file will not be erased -> https://bugs.php.net/bug.php?id=80246
5. upload dynamic library and get Reverse shell

Thanks to sqrtrev!!