Hack you 2014 - Web 400 Writeup
This challenge used 2 GET parameters: action and param. Given the source code, action is used as class name and param as its argument to the constructor. Now, listing all php standard classes with:
php -r 'var_dump (get_declared_classes ());'
we can see which one can allow us to read file or maybe execute commands: “GlobIterator” one seems ok. Reading from php.net it iterates trought file system similar to glob() this mean we can use wildcard ‘*’ for our own proupose. So lets try it:
This will give return us a class GlobIterator("/C*") which the result is echoed at the end.