posture
Title description: In the eyes of a qualified hacker, all upload points are backdoors left by developers
As usual, upload a word Trojan horse
The echo is as follows:
That is, files are filtered
Capture packets and change the suffix, .php1~.php9, .htaccess are all filtered (.htaccess file is a configuration file used to configure the Apache web server. It is usually located in the root directory of the website or in a specific directory, and is used for this directory and its subdirectories provide specific configuration directives):
Since the back-end logic verification is mostly implemented by php files, you can use the .user.ini feature of fastcgi to execute arbitrary commands.
The .user.ini file is a supplementary file of php.ini. When a web page is accessed, it will automatically check whether there is a .user.ini in the current directory, and then add it to php.ini, and use it as a cgi startup item. Many of these functions can only be configured in php.ini, but there are still some dangerous functions that can be controlled by us, such as auto_prepend_file.
auto_prepend_file is one of the PHP configuration options used to specify a file that is automatically included before each PHP script is executed.
When the auto_prepend_file configuration is enabled, PHP will automatically include the specified file as part of the script before executing each script. This file can contain some common code, functions, classes or initialization actions to be automatically executed in every script.
Therefore, we can pass in the .user.ini file, and include the file name containing a one-sentence Trojan horse into each file through auto_prepend_file. and then upload the file
Proceed as follows:
Since the content is qiu.jpg, change the Content-Type (content type) from application/octet-stream to image/jpg after capturing the packet
Put the package, the echo shows that the file name is wrong
So re-capture the package and add the picture header GIF89a
Put the package, echo the file upload successfully:
Then create a new qiu.jpg with the following content:
Just upload it directly:
View the file upload path:
Since then, the entire file upload process has been completed. Before executing the script, the program will execute the .user.ini file, which contains qiu.jpg, and qiu.jpg contains a one-sentence Trojan horse, so we can use Ant Sword to connect to the root directory.
Get the flag:
Summarize
The above is a detailed analysis of [CTF/Network Security] easyupload problem solving in the offensive and defensive world, and examines file uploads and related knowledge points. Readers can practice by themselves.
Tip: Any server that uses fastcgi can use this method to getshell, whether it is apache or ngnix or other servers.
I am Qiu said , see you next time.