CTFHub_ skill tree _ file upload

Others 2020-03-22 20:02:39 views: null

File Upload

Unlimited

UPload_0_1

Direct upload word back door, using ant sword connection:

UPload_0_2

Obtaining flag:

UPload_0_3

Front-end verification

Try uploading directly back door, I found to be intercepted, after a judge for the Javascriptfront-end verification:

UPload_1_1

Here you can use the Firefox browser plug-in to disable js code page, or use a burp suite bypass the front-end verification.

Here shows how to use burp suite bypass the front-end verification

UPload_1_3

First file name changed 1.jpg, by burp suite will change the file name to upload 1.php, you can bypass the authentication.

UPload_1_2

Use ant sword obtain flag.

.htaccess

.heaccessWhat is

.htaccess files (or "distributed configuration files") provides a method for changing the configuration of the directory, i.e., in a particular document directory are placed one or more instructions contained in a file, directory and all of this to act subdirectory. As a user, can be used by the command is limited.

Overview speaking, htaccess file is the Apache server configuration file, which is responsible for the configuration page under the relevant directory. By htaccess file, you can help us achieve: page 301 redirects, custom 404 error page, change the file extension to allow / block access to specific users or directory, prohibit directory listings, configure the default document and other functions.

Simply put, I uploaded a .htaccess file to the server, it will be resolved to a specific format file format after php server.

.htaccessExploit

//方法一
SetHandler application/x-httpd-php  	//所有的文件当做php文件来解析
//方法二
AddType application/x-httpd-php .jpg	//.jpg文件当作php文件解析

Problem solution process

Configuration .htaccessfile and upload.

UPload_2_1

Upload a word back door, using tools connected ants Sword, get flag:

UPload_2_2

MIME verification

What is MIME

Multipurpose Internet Mail Extensions type. The original purpose of it is to design additional multimedia data when sending e-mail, so mail client can be processed according to their type. However, when it is supported by the HTTP protocol, its significance is even more significant. It makes HTTP transport is not only plain text, and more colorful.

Each MIME type consists of two parts, the front of a large class of data, such as sound audio, image and other image, define specific types later.

Common MIME types

超文本标记语言文本 .html text/html
普通文本 .txt text/plain
GIF图形 .gif image/gif
JPEG图形 .jpeg,.jpg image/jpeg

MIME type of server is detected by checking the value of the Content-Type http packet field to determine whether the file upload valid. It easier to handle, no matter what type of file I uploaded, I just modify the Content-Type field to make detection by on the line.

Problem solution process

Php file upload, tips:

UPload_4_0

View the source code and found no front-end verification, validation guess to MIME.

modifyContent-Type

UPload_4_1

Upload Success:

UPload_4_2

Use ant sword connect, get flag

UPload_4_3

Header detection

Upload php file, an error, suggest the following:

UPload_3_1

Modify the MIME format is jpg upload:

UPload_3_2

Error, suggest the following:

UPload_3_5

I guess the contents of the file should be detected.

Create an image horse:

copy 原图片.jpg/b + 后门.php/a 图片马.php
b表示二进制文件
a表示ASCII码文件

UPload_3_3

Use ant sword connect, get flag

UPload_3_4

00 Truncated

For details check out this article

00 cut-off principle

0x00 is the hex representation, is ascii character code 0, when some processing functions, will put this character as a terminator. This can be used in bypassing the file type name.

00 using the method of truncating

I used to think 00 so-called cut-off is added to the file name %00truncation, but this approach is wrong, why? For example, an attacker constructs File Name: admintony.php%00a.jpgIn the extraction time extension encountered %00is considered the end of the string, and then he extracted extension would be .php, .phpsuffix and not allowed to upload so upload failed.

Should the packet must contain the situation after the directory upload files before they can use, such as packet exists path: uploads/, the attacker can be constructed by modifying the value of the path of paylod:uploads/aa.php%00

Why can modify the path, because the program is detected in the file extension, if the result of splicing the splicing suffix legal path and file name, then the attacker modifies the path for the future: uploads/aaa.php%00/2018051413370000.phpmove the file when the file will be saved as uploads/aaa.phpto achieve Getshell effect.

Problem solution process

Php file upload, test

UPload_5_1

Find url contains the upload path, file name guess is spliced ​​to verify suffix in the directory name before.

Use 00cut, 00% are decoded server 0x00 played a role cut

UPload_5_2

Ant sword, flag:

UPload_5_3

Source code analysis

<?php
header("Content-type: text/html;charset=utf-8");
error_reporting(0);

//设置上传目录
define("UPLOAD_PATH", dirname(__FILE__) . "/upload/");
define("UPLOAD_URL_PATH", str_replace($_SERVER['DOCUMENT_ROOT'], "", UPLOAD_PATH));

if (!file_exists(UPLOAD_PATH)) {
    mkdir(UPLOAD_PATH, 0755);
}

if (!empty($_POST['submit'])) {
    $name = basename($_FILES['file']['name']);
    $info = pathinfo($name);
    $ext = $info['extension'];
    $whitelist = array("jpg", "png", "gif");
    if (in_array($ext, $whitelist)) {
        $des = $_GET['road'] . "/" . rand(10, 99) . date("YmdHis") . "." . $ext;
        if (move_uploaded_file($_FILES['file']['tmp_name'], $des)) {
            echo "<script>alert('上传成功')</script>";
        } else {
            echo "<script>alert('上传失败')</script>";
        }
    } else {
        echo "文件类型不匹配";
    }
}

?>

basename(path,suffix)  //函数返回路径中的文件名部分。
parameter description
path essential. To check the specified path.
suffix Optional. Provision file extension. If the file has a suffix, it will not output this extension. 
pathinfo() 	//返回一个关联数组包含有 path 的信息。

<?php
print_r(pathinfo("/testweb/test.txt"));
?>
/*
Array
(
[dirname] => /testweb
[basename] => test.txt
[extension] => txt
)
*/

Upload the document as a unified renamed happened here cut off, to achieve the attack.

Double the suffix

$name = basename($_FILES['file']['name']);
$blacklist = array("php", "php5", "php4", "php3", "phtml", "pht", "jsp", "jspa", "jspx", "jsw", "jsv", "jspf", "jtml", "asp", "aspx", "asa", "asax", "ascx", "ashx", "asmx", "cer", "swf", "htaccess", "ini");
$name = str_ireplace($blacklist, "", $name);

Code only blacklist replaced with a blank, only need to construct: .pphphpit can be bypassed.

Upload the back door, ants, sword, flag

Guess you like

Origin www.cnblogs.com/chalan630/p/12547844.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com