Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to upload ctfshow files in php. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Web151~ front-end verification

Grab the package directly and modify the suffix.

Web152~ front end + MIME

Grab the package directly and modify the suffix.

Web153~.user.ini

Https://www.php.net/manual/en/ini.list.php

Conditions of use:

(1) the server scripting language uses CGI/FastCGI mode for PHP servers.

(2) there must be executable php files in the upload directory.

Mode of use:

Upload a picture horse

Upload .user.iniauto _ prepend_file=ma.png

Access a php file in the .user.ini sibling directory.

There is / upload/index.php in this topic, so it can be operated.

The topic configuration can be obtained from the corresponding package of http. Nginx/1.18.0 (Ubuntu)

Web154~ file content filtering php

Came up to test and found that it was blacklisted and filtered.

We can also upload .user.ini, and upload/index.php really exists.

So let's upload a picture horse.

Found to have been intercepted.

Failed to upload the file. Reason: the content of the file is not up to standard.

Guess that the php string may have been intercepted. So let's try to delete him and upload it successfully.

Well, we can just go around it.

# cannot eval ($_ POST ['a']); # cannot filter php with the content of web155~ file

Test normal png pictures can be uploaded.

Filter php for picture content

Bypass the end sign.

Upload 2.png

Visit upload/index.php

Web158~ filter semicolon

It is the same as the web157 solution.

Web159~ filter parentheses

After testing, the file contents are filtered by php, [, {,;, (

It's not a big problem. You can't use functions.

Then let's use backquotes instead of system ().

Web160~ filters backquotes, including logs

After testing, the contents of the file are filtered with php, [, {,;, (, backquotation marks, spaces.

Oh, boy. Contains the log file, but found that log was also filtered. Then splice it.

After uploading .user.ini, after uploading ma.png

When you see the echo of the page, it does contain.

Think of the direct browser access url path with a sentence, but it is encoded% 3C?php%20eval ($_ POST [1]);?% 3e

It's better to UA again.

Modify UA User-Agent:

Then succeed in getshell.

Web161~ detect file header

It is found that only the pictures with abnormal contents of the file can no longer be uploaded. Guess that the header of the file was detected.

Upload GIF89a successfully bypassed, but here the file content test is only two characters can not be uploaded. So put more characters.

The rest of the operation is the same as Shangguan.

Web162~ contains session files

Test, this level also detects the header, but filters out points at the same time.

We can see that going around like this.

.user.ini:

GIF89aauto_prepend_file=ma

But upload ma files, also can not contain log files. At this point you need to include the session file.

Flag is also filtered here

Upload ma

GIF89a

So let's start building, and session files compete to contain.

Construction

Upload all the time, the content is to write the back door to a.php

Then include the session file all the time.

You can see that the success contains, so at this point we go to upload/a.php, successfully access, and test the backdoor for successful writing.

You can refer to the file that contains articles:

And use session.upload_progress to include files.

Web163~ contains session files

The filter is still the previous filter.

The operation is the same as Shengguan.

There is upload/index.php here, so we can actually use this file directly to include the Session file.

Upload .user.ini:

GIF89aauto_prepend_file=/tmp/sess_fllag

Then start the session file competition for upload and inclusion.

Success.

This is the source code of the title:

* / $img = imagecreatetruecolor (32,32); for ($y = 0; $y

< sizeof($p); $y += 3) { $r = $p[$y]; $g = $p[$y+1]; $b = $p[$y+2]; $color = imagecolorallocate($img, $r, $g, $b); imagesetpixel($img, round($y / 3), 0, $color);}imagepng($img,'./1.png');?>

Web165~jpg secondary rendering

The test can only upload jpg.

{"code": 3, "msg": "only allowed to upload pictures in jpg format"}

It is also the second rendering, when we write the back door into the picture, the background will automatically detect and delete the data.

Then jpg secondary rendering is used to bypass it.

Get the script.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.