[GXYCTF2019]BabyUpload;[BJDCTF2020]The mystery of ip
[GXYCTF2019]BabyUpload
不管上传什么类型的文件,都回显上传类型也台露骨了吧!,只能看一下源码了
<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
上传文件<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上传\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']);
$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("后缀名不能有ph!");
}
else{
if ((($_FILES["uploaded"]["type"] == "
") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
$content = file_get_contents($uploaded_tmp);
if(preg_match("/\<\?/i", $content)){
die("诶,别蒙我啊,这标志明显还是php啊");
}
else{
mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
}
else{
die("上传类型也太露骨了吧!");
}
}
}
?>
发现这里限制了文件大小<2048,
并且只检查了文件后缀不能有ph,
content-type的类型为image/pjpeg或image/jpeg,
内容不能有<?
这里可以上传.htaccess,再改content-type(上传过1.asp,但是连接失败,就换成了这种,它不是windows的服务器,不能解析asp)
有了.htaccess配置文件,它会将aa的后缀解析成php文件,因为这里过滤了<?,故可以使用js编写一句话木马绕过
蚁剑连接得到flag
[BJDCTF2020]The mystery of ip
得到自己的ip,
尝试添加X-Forwarded-For,猜测是否能更改,结果成功
之后尝试sql注入,xss都失败了,看了wp后知到还可能使模板注入
报错信息返回了模板了类型为Smarty
这里可以根据此模板的格式执行命令
或者使用{{}}
