BUUCTF WEB [SUCTF 2019]CheckIn
Open a page is upload interface:
but the topics presented to the source! GitHub above, also looked at the flag le ~ ~
this is not important, I came to see the source code! ! ! index.php source code as follows:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Upload Labs</title>
</head>
<body>
<h2>Upload Labs</h2>
<form action="index.php" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="fileUpload" id="file"><br>
<input type="submit" name="upload" value="提交">
</form>
</body>
</html>
<?php
// error_reporting(0);
$userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]);
if (!file_exists($userdir)) {
mkdir($userdir, 0777, true);
}
file_put_contents($userdir . "/index.php", "");
if (isset($_POST["upload"])) {
$tmp_name = $_FILES["fileUpload"]["tmp_name"];
$name = $_FILES["fileUpload"]["name"];
if (!$tmp_name) {
die("filesize too big!");
}
if (!$name) {
die("filename cannot be empty!");
}
$extension = substr($name, strrpos($name, ".") + 1);
if (preg_match("/ph|htacess/i", $extension)) {
die("illegal suffix!");
}
if (mb_strpos(file_get_contents($tmp_name), "<?") !== FALSE) {
die("<? in contents!");
}
$image_type = exif_imagetype($tmp_name);
if (!$image_type) {
die("exif_imagetype:not image!");
}
$upload_file_path = $userdir . "/" . $name;
move_uploaded_file($tmp_name, $upload_file_path);
echo "Your dir " . $userdir. ' <br>';
echo 'Your files : <br>';
var_dump(scandir($userdir));
}
Analyze, detect visible extension, content testing, type testing:
the contents can still be bypassed! ! Type detection can be bypassed ,,,,
suffix detect how do ,,, back of a horse can upload pictures, but pictures can not be resolved ah! !
To construct a picture horse:
renamed 1.gif uploaded successfully!
Path also know! Try a bit apache parsing vulnerability, I found not ,,,,
should let us upload pictures, then parsed into PHP code execution, but .htacess is filtered, and,
later know as well as profiles also have .htacess function, that is .user.ini file
can be identified in .user.ini in PHP_INI_PERDIR and INI settings PHP_INI_USER mode, we can look at a list of options
php.ini directives list
auto_append_file, auto_prepend_file two configuration files are automatically included if that is the difference ,,, before and after the file contains
constructed upload:
GIF89a
auto_prepend_file=1.gif
Yes, uploaded successfully
and look at the code we also know that automatically generates an empty index.php file content, but because of the presence of .user.ini
index.php file will be automatically included 1.gif, you can see the access index.php :
nothing wrong with using a direct connection ant sword:
get flag: