Although I failed to solve the challenge during CTF, but I think it is
worthwhile to do a write-up.

The challenge is to exploit a PHP script engine using this bug. We can execute
arbitrary PHP code but we must bypass disabled_function restriction to execute
shell command, using a UAF vulnerability. Therefore, this is actually more a
Pwn challenge than a Web challenge.

However, different from official PHP engine, a custom libphp7.so is provided.
This engine does not provide any loop functionality such as for/while/do-
while/foreach. Moreover, in remote server, the recursion depth is also
restricted, and strlen function always returns NULL, even though these cases
do not occur in my local environment.

The exploit idea is similar to the exploit provided in Github: use UAF to
overlap a string with an object, so that we can leak the addresses, then clone
a function object and rewrite relevant function pointer to make the function
system.

Original writeup (https://mem2019.github.io/jekyll/update/2020/05/04/Easy-PHP-
UAF.html).