table of Contents
Brush title record: [SUCTF 2019] CheckIn
question
Head reproduce link: https://buuoj.cn/challenges
Reference Links: use from SUCTF 2019 CheckIn On the .user.ini
One, involving knowledge points
1, using the .user.ini
upload \ hidden back door
: Reference links PHP files that make up the back door user.ini
condition:
- 1, server scripting language PHP
- 2, the server uses CGI / FastCGI mode
- 3, php file upload directory to have executable under
Example: Upload .user.ini
bypass blacklist test
GIF89a //绕过exif_imagetype()
auto_prepend_file=a.jpg //指定在主文件之前自动解析的文件的名称,并包含该文件,就像使用require函数调用它一样。
auto_append_file=a.jpg //解析后进行包含
Advantage: with the .htaccess
back door than the broader scope, nginx / apache / IIS are valid, but .htaccess
only applies to apache
2, bypassing exif_imagetype()
the clever but useless
#define width 20
#define height 10
Xbm format using X Bit Map, bypassing exif_imagetype () method of detection, upload files to resolve.
In computer graphics, X Window System X BitMap, a pure binary text image format for cursor and icon bit map memory used in the X GUI.
XBM data comprising a series of monochrome pixel data array of static unsigned char, when the format is commonly used, typically in the title XBM .h file, each image is stored in an array in the header.
C is the code used to identify a file xbm first two #defines specified width and height of the bitmap in pixels [such xbm the following documents:
#define test_width 16
#define test_height 7
Second, problem-solving approach
See reference link