{"rsdb":{"rid":"395139","subhead":"","postdate":"0","aid":"272515","fid":"90","uid":"1","topic":"1","content":"<div id=\"cnblogs_post_body\" class=\"blogpost-body cnblogs-markdown\"> \n <h1 id=\"ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20\">ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20<\/h1> \n <p><\/p>\n <div class=\"toc\">\n  <div class=\"toc-container-header\">\n   \u76ee\u5f55\n  <\/div>\n  <ul>\n   <li><a rel=\"noopener\">ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20<\/a>\n    <ul>\n     <li><a rel=\"noopener\">web151(\u524d\u7aef\u6821\u9a8c)<\/a><\/li>\n     <li><a rel=\"noopener\">web152(content-type)<\/a><\/li>\n     <li><a rel=\"noopener\">web153(.user.ini)<\/a><\/li>\n     <li><a rel=\"noopener\">web154(\u5185\u5bb9\u68c0\u6d4b'php')<\/a><\/li>\n     <li><a rel=\"noopener\">web155(\u5185\u5bb9\u68c0\u6d4b'php')<\/a><\/li>\n     <li><a rel=\"noopener\">web156(\u5185\u5bb9\u68c0\u6d4b'[')<\/a><\/li>\n     <li><a rel=\"noopener\">web157(\u5185\u5bb9\u68c0\u6d4b'php''[]''{}'';')<\/a><\/li>\n     <li><a rel=\"noopener\">web158(\u6587\u4ef6\u68c0\u6d4b'php''{''['';''log')<\/a><\/li>\n     <li><a rel=\"noopener\">web159(\u65e5\u5fd7\u5305\u542b)<\/a><\/li>\n     <li><a rel=\"noopener\">web160(\u65e5\u5fd7\u7a7a\u683c\u68c0\u6d4b)<\/a><\/li>\n     <li><a rel=\"noopener\">web161(\u65e5\u5fd7\u6587\u4ef6\u5934\u68c0\u6d4b)<\/a><\/li>\n     <li><a rel=\"noopener\">web162&amp;&amp;web163(session\u5305\u542b)<\/a><\/li>\n     <li><a rel=\"noopener\">web164(png\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3)<\/a><\/li>\n     <li><a rel=\"noopener\">web165(jpg\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3)<\/a><\/li>\n     <li><a rel=\"noopener\">web166(zip)<\/a><\/li>\n     <li><a rel=\"noopener\">web167(.htaccess)<\/a><\/li>\n     <li><a rel=\"noopener\">web168(\u59ff\u52bf\u7ed5\u8fc7)<\/a><\/li>\n     <li><a rel=\"noopener\">web169&amp;web170(\u6784\u9020\u5305\u542b\u65e5\u5fd7)<\/a><\/li>\n     <li><a rel=\"noopener\">\u6587\u4ef6\u4e0a\u4f20\u603b\u7ed3<\/a><\/li>\n     <li><a rel=\"noopener\">\u53c2\u8003\u6587\u7ae0<\/a><\/li>\n    <\/ul><\/li>\n  <\/ul>\n <\/div>\n <p><\/p> \n <h2 id=\"web151\u524d\u7aef\u6821\u9a8c\">web151(\u524d\u7aef\u6821\u9a8c)<\/h2> \n <p>\u9898\u76ee\u4e2d\u63d0\u793a\u524d\u7aef\u68c0\u9a8c\u4e0d\u53ef\u9760\uff0c\u5e94\u8be5\u5bf9\u524d\u7aef\u68c0\u9a8c\u8fdb\u884c\u7ed5\u8fc7<br \/> <img src=\"https:\/\/img-blog.csdnimg.cn\/608e51750ded43f2aefc1c2a66a3e803.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" loading=\"lazy\" \/><br \/> \u68c0\u67e5\u524d\u7aef\u4ee3\u7801\u8fdb\u884c\u4fee\u6539\uff0c\u4f7fphp\u6587\u4ef6\u53ef\u4ee5\u901a\u8fc7\u524d\u7aef\u6821\u9a8c\uff0c\u6210\u529f\u4e0a\u4f20\u540e\u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff0c\u627e\u5230flag<br \/> <img src=\"https:\/\/img-blog.csdnimg.cn\/35fc3e84c4df40c89df2461c10df35ac.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" loading=\"lazy\" \/><\/p> \n <h2 id=\"web152content-type\">web152(content-type)<\/h2> \n <p>\u901a\u8fc7\u524d\u7aef\u6821\u9a8c\u540e\u4e0a\u4f20php\u6587\u4ef6\u663e\u793a\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4<br \/> <img src=\"https:\/\/img-blog.csdnimg.cn\/86e08d781e9346eb901bcb8bf80b938b.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" loading=\"lazy\" \/><br \/> \u5c1d\u8bd5\u6293\u5305\u4fee\u6539content-type\uff0c\u6839\u636e\u6570\u636e\u5305\u56de\u663e\u5f97\u77e5\u4e0a\u4f20\u6210\u529f\u3002<br \/> <img src=\"https:\/\/img-blog.csdnimg.cn\/b17c452d2c864069af76a450ff065f98.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" loading=\"lazy\" \/><br \/> \u8bbf\u95ee\u540e\u95e8\u6587\u4ef6\u4ee3\u7801\u6267\u884c\u5f97\u5230flag<\/p> \n <h2 id=\"web153userini\">web153(.user.ini)<\/h2> \n <p>\u76f4\u63a5\u4e0a\u4f20php\u6587\u4ef6\u663e\u793a\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4\uff0c\u5c1d\u8bd5\u4fee\u6539content-type\u4e0a\u4f20\u4e0d\u6210\u529f\uff0c\u4e0a\u4f20php3<br \/> \u540e\u7f00\u670d\u52a1\u5668\u4e0d\u80fd\u89e3\u6790<br \/> \u5c1d\u8bd5\u8bbf\u95eeupload\u6587\u4ef6\u5939\uff0c\u53d1\u73b0upload\u6587\u4ef6\u5939\u6709\u9ed8\u8ba4\u7d22\u5f15\uff0c\u5177\u6709index.php\u6587\u4ef6\uff0c\u90a3\u4e48\u53ef\u4ee5\u5229\u7528.user.ini\u6587\u4ef6\u6765\u8fdb\u884c\u4e0a\u4f20<br \/> \u5177\u4f53user.ini\u77e5\u8bc6\u70b9\u53c2\u8003<a target=\"_blank\" rel=\"noopener\">.htaccess \u548c.user.ini \u914d\u7f6e\u6587\u4ef6\u5999\u7528<\/a><br \/> .user.ini\u6587\u4ef6\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u5c40\u90e8\u914d\u7f6e\u6587\u4ef6\uff0c\u53ef\u4ee5\u901a\u8fc7\u914d\u7f6e\u9009\u9879\u4f7f\u6bcf\u4e2aphp\u6587\u4ef6\u5934\u6216\u6587\u4ef6\u5c3e\u90fd\u8fdb\u884c\u6587\u4ef6\u5305\u542b<\/p> \n <pre><code class=\"language-bash\">auto_prepend_file = &lt;filename&gt;         \/\/\u5305\u542b\u5728\u6587\u4ef6\u5934\nauto_append_file = &lt;filename&gt;          \/\/\u5305\u542b\u5728\u6587\u4ef6\u5c3e\n<\/code><\/pre> \n <p><img src=\"https:\/\/img-blog.csdnimg.cn\/2d9eeb16a06d4d41a547fa2e1e78af9b.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" loading=\"lazy\" \/><br \/> \u901a\u8fc7.user.ini\u4f7f\u5f97upload\u6587\u4ef6\u5939\u4e0b\u6bcf\u4e2aphp\u6587\u4ef6\u5728\u6587\u4ef6\u5934\u90fd\u5305\u542b1.png\u6587\u4ef6<br \/> \u6784\u9020\u56fe\u7247\u9a6c1.png\u8fdb\u884c\u4e0a\u4f20,\u7531\u4e8e.user.ini\u4f7f\u5f97upload\u4e0bindex.php\u5305\u542b\u6240\u4e0a\u4f20\u7684\u56fe\u7247\u9a6c\uff0c\u76f4\u63a5\u8bbf\u95eeindex.php\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u5373\u53ef\u5f97\u5230falg<\/p> \n <h2 id=\"web154\u5185\u5bb9\u68c0\u6d4bphp\">web154(\u5185\u5bb9\u68c0\u6d4b'php')<\/h2> \n <p>\u5927\u81f4\u6b65\u9aa4\u4e0e153\u9898\u4e00\u6837\u3002\u5728\u4e0a\u4f20\u7684\u65f6\u5019\u53d1\u73b0\u56fe\u7247\u9a6c\u4e0a\u4f20\u4e0d\u4e86\uff0c\u7ecf\u8fc7\u6d4b\u8bd5\u53d1\u73b0\u5bf9\u56fe\u7247\u5185\u5bb9\u4e2d\u7684php\u505a\u4e86\u5904\u7406\uff0c\u90a3\u4e48\u5728\u56fe\u7247\u9a6c\u4e2d\u53ef\u4ee5\u91c7\u7528php\u5176\u4ed6\u98ce\u683c\u5f97\u5199\u6cd5\uff0c\u5982\u77ed\u6807\u7b7e\u7b49\u3002\u5177\u4f53\u53ef\u4ee5\u53c2\u8003<a target=\"_blank\" rel=\"noopener\">PHP\u56db\u79cd\u6807\u8bb0\u98ce\u683c<\/a><\/p> \n <h2 id=\"web155\u5185\u5bb9\u68c0\u6d4bphp\">web155(\u5185\u5bb9\u68c0\u6d4b'php')<\/h2> \n <p>\u540c\u4e0a<\/p> \n <h2 id=\"web156\u5185\u5bb9\u68c0\u6d4b\">web156(\u5185\u5bb9\u68c0\u6d4b'[')<\/h2> \n <p>\u6e90\u7801\u68c0\u6d4b\u4e86php\u548c[\uff0c\u91c7\u7528\u77ed\u6807\u8bb0\u548c\u5927\u62ec\u53f7\u66ff\u4ee3<\/p> \n <pre><code class=\"language-php\">&lt;?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date:   2020-10-24 19:34:52\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-10-26 15:49:51\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\nerror_reporting(0);\nif ($_FILES[&quot;file&quot;][&quot;error&quot;] &gt; 0)\n{\n\t$ret = array(&quot;code&quot;=&gt;2,&quot;msg&quot;=&gt;$_FILES[&quot;file&quot;][&quot;error&quot;]);\n}\nelse\n{\n    $filename = $_FILES[&quot;file&quot;][&quot;name&quot;];\n    $filesize = ($_FILES[&quot;file&quot;][&quot;size&quot;] \/ 1024);\n    if($filesize&gt;1024){\n    \t$ret = array(&quot;code&quot;=&gt;1,&quot;msg&quot;=&gt;&quot;\u6587\u4ef6\u8d85\u8fc71024KB&quot;);\n    }else{\n    \tif($_FILES['file']['type'] == 'image\/png'){\n            $arr = pathinfo($filename);\n            $ext_suffix = $arr['extension'];\n            if($ext_suffix!='php'){\n                $content = file_get_contents($_FILES[&quot;file&quot;][&quot;tmp_name&quot;]);\n                if(stripos($content, &quot;php&quot;)===FALSE &amp;&amp; stripos($content,&quot;[&quot;)===FALSE){\n                    move_uploaded_file($_FILES[&quot;file&quot;][&quot;tmp_name&quot;], &quot;upload\/&quot;.$_FILES[&quot;file&quot;][&quot;name&quot;]);\n                    $ret = array(&quot;code&quot;=&gt;0,&quot;msg&quot;=&gt;&quot;upload\/&quot;.$_FILES[&quot;file&quot;][&quot;name&quot;]);\n                }else{\n                    $ret = array(&quot;code&quot;=&gt;2,&quot;msg&quot;=&gt;&quot;\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4&quot;);\n                }\n                \n            }else{\n                $ret = array(&quot;code&quot;=&gt;2,&quot;msg&quot;=&gt;&quot;\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4&quot;);\n            }\n    \t\t\n    \t}else{\n    \t\t$ret = array(&quot;code&quot;=&gt;2,&quot;msg&quot;=&gt;&quot;\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4&quot;);\n    \t}\n    \t\n    }\n\n}\n\necho json_encode($ret);\n\n<\/code><\/pre> \n <p>stripos() \u51fd\u6570\u67e5\u627e\u5b57\u7b26\u4e32\u5728\u53e6\u4e00\u5b57\u7b26\u4e32\u4e2d\u7b2c\u4e00\u6b21\u51fa\u73b0\u7684\u4f4d\u7f6e\uff08\u4e0d\u533a\u5206\u5927\u5c0f\u5199\uff09\u3002<\/p> \n <h2 id=\"web157\u5185\u5bb9\u68c0\u6d4bphp\">web157(\u5185\u5bb9\u68c0\u6d4b'php''[]''{}'';')<\/h2> \n <p>\u4e0a\u4f20.user.ini<br \/> \u5728\u4e0a\u4f20\u56fe\u7247\u9a6c\u5f97\u8fc7\u7a0b\u4e2d\uff0c\u7ecf\u8fc7\u4f7f\u7528\u4e8c\u5206\u6cd5\u5bf9\u4e00\u53e5\u8bdd\u6728\u9a6c\u7684\u5206\u6790\u53d1\u73b0\uff0c\u540e\u53f0\u4ee3\u7801\u5bf9\u56fe\u7247\u9a6c\u5185\u5bb9\u4e2d\u7684\u5173\u952e\u5b57\u2018php\u2019,'[]','{}'\u4ee5\u53ca';'\u90fd\u8fdb\u884c\u4e86\u68c0\u6d4b\uff0c\u8fd9\u4e00\u5173\u7684\u6027\u8d28\u5c31\u7531\u6587\u4ef6\u4e0a\u4f20\u8f6c\u53d8\u4e3a\u4e86\u4efb\u610f\u4ee3\u7801\u6267\u884c\uff0c\u90a3\u4e48\u53ea\u597d\u518d\u6b21\u5bf9\u6728\u9a6c\u6587\u4ef6\u8fdb\u884c\u4f2a\u88c5<\/p> \n <pre><code class=\"language-php\">&lt;?= @eva l(array_pop($_POST))?&gt;\n<\/code><\/pre> \n <p>\u4f7f\u7528=\u77ed\u6807\u7b7e\u7ed5\u8fc7php\u68c0\u6d4b<br \/> @\u4e0d\u63d0\u793a\u62a5\u9519\u4fe1\u606f<br \/> eva l()\u628a\u5185\u5bb9\u5f53\u4f5cphp\u8bed\u53e5\u6267\u884c<br \/> array_pop()\u5c06\u6570\u7ec4\u4e2d\u6700\u540e\u4e00\u4e2a\u5143\u7d20\u53d6\u51fa\u5e76\u5220\u9664<br \/> \u4f7f\u7528$_POST\u63a5\u53d7\u4efb\u610f\u53d8\u91cf<br \/> \u4f7f\u7528\u8be5\u6587\u4ef6\u5e76\u4e0d\u80fd\u83b7\u53d6shell\uff0c\u53ea\u80fd\u901a\u8fc7POST\u63d0\u4ea4\u6570\u636e\u8fdb\u884c\u4ee3\u7801\u6267\u884c<br \/> \u4ee3\u7801\u6267\u884c","orderid":"0","title":"ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20(\u4e00)","smalltitle":"","mid":"0","fname":"Scala","special_id":"0","bak_id":"0","info":"0","hits":"442","pages":"5","comments":"0","posttime":"2023-08-06 07:49:31","list":"1691279371","username":"admin","author":"","copyfrom":"","copyfromurl":"","titlecolor":"","fonttype":"0","titleicon":"0","picurl":"https:\/\/www.cppentry.com\/upload_files\/","ispic":"0","yz":"1","yzer":"","yztime":"0","levels":"0","levelstime":"0","keywords":"<A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=ctfshow--web' target=_blank>ctfshow--web<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%C8%EB%C3%C5' target=_blank>\u5165\u95e8<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%CE%C4%BC%FE%C9%CF' target=_blank>\u6587\u4ef6\u4e0a<\/A>","jumpurl":"","iframeurl":"","style":"","template":"a:3:{s:4:\"head\";s:0:\"\";s:4:\"foot\";s:0:\"\";s:8:\"bencandy\";s:0:\"\";}","target":"0","ip":"211.148.71.108","lastfid":"0","money":"0","buyuser":"","passwd":"","allowdown":"","allowview":"","editer":"","edittime":"0","begintime":"0","endtime":"0","description":"ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20","lastview":"1715047614","digg_num":"0","digg_time":"0","forbidcomment":"0","ifvote":"0","heart":"","htmlname":"","city_id":"0"},"page":"1"}