SWPUCTF 2021 新生赛 easyupload2.0
高中时期在NSSCTF上刷题的题解
SWPUCTF 2021 新生赛 easyupload2.0
[SWPUCTF 2021 新生赛]easyupload2.0 lamaper的WriteUp
SWPUCTF 2021 新生赛easyupload2.0 lamaper的WriteUp | NSSCTF
知识点:远程执行,php的多种格式
一打开题目发现需要上传文件,尝试后台扫描发现git库泄漏,但没发现有用的东西,于是上传一句话木马,发现不能上传php,于是修改文件扩展名为。phtml成功上传,使用中国蚁剑进行远程连接,发现目录中有flag.php
1
cat ../flag.php
获得flag
复盘
分析一下源代码 index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
session_start();
echo "
<meta charset=\"utf-8\">
<title>下手轻点,求求了</title>
<a><img src=\"https://gitee.com/a-sprite-of-84/docker-upload1/raw/master/images/upload1.jpg\" alt=\"upload1.jpg\" border=\"0\" /></a>
<form action=\"upload.php\" method=\"post\" enctype=\"multipart/form-data\">
<input type=\"file\" name=\"uploaded\" />
<br/>
<input type=\"submit\" name=\"submit\" value=\"感觉要被秒了\" />
</form>";
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
?>
upload.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
session_start();
echo "
<meta charset=\"utf-8\">";
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded']))
{
$target_path = "./upload";
$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/php|hta|ini/i", $uploaded_ext))
{
die("php是不行滴");
}
else
{
$content = file_get_contents($uploaded_tmp);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
}
else
{
die("不传🐎还想要f1ag?");
}
?>
发现用正则表达式过滤了.php/.hta/.ini,因而除了php以外的php文件都可以上传;
另
php3,php5,pht,phtml,phps都是php可运行的文件扩展名
This post is licensed under
CC BY 4.0
by the author.