ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20<\/h1> \n
<\/p>\n
- \n
- ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20<\/a>\n
- \n
- web151(\u524d\u7aef\u6821\u9a8c)<\/a><\/li>\n
- web152(content-type)<\/a><\/li>\n
- web153(.user.ini)<\/a><\/li>\n
- web154(\u5185\u5bb9\u68c0\u6d4b'php')<\/a><\/li>\n
- web155(\u5185\u5bb9\u68c0\u6d4b'php')<\/a><\/li>\n
- web156(\u5185\u5bb9\u68c0\u6d4b'[')<\/a><\/li>\n
- web157(\u5185\u5bb9\u68c0\u6d4b'php''[]''{}'';')<\/a><\/li>\n
- web158(\u6587\u4ef6\u68c0\u6d4b'php''{''['';''log')<\/a><\/li>\n
- web159(\u65e5\u5fd7\u5305\u542b)<\/a><\/li>\n
- web160(\u65e5\u5fd7\u7a7a\u683c\u68c0\u6d4b)<\/a><\/li>\n
- web161(\u65e5\u5fd7\u6587\u4ef6\u5934\u68c0\u6d4b)<\/a><\/li>\n
- web162&&web163(session\u5305\u542b)<\/a><\/li>\n
- web164(png\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3)<\/a><\/li>\n
- web165(jpg\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3)<\/a><\/li>\n
- web166(zip)<\/a><\/li>\n
- web167(.htaccess)<\/a><\/li>\n
- web168(\u59ff\u52bf\u7ed5\u8fc7)<\/a><\/li>\n
- web169&web170(\u6784\u9020\u5305\u542b\u65e5\u5fd7)<\/a><\/li>\n
- \u6587\u4ef6\u4e0a\u4f20\u603b\u7ed3<\/a><\/li>\n
- \u53c2\u8003\u6587\u7ae0<\/a><\/li>\n <\/ul><\/li>\n <\/ul>\n <\/div>\n
<\/p> \n
web151(\u524d\u7aef\u6821\u9a8c)<\/h2> \n
\u9898\u76ee\u4e2d\u63d0\u793a\u524d\u7aef\u68c0\u9a8c\u4e0d\u53ef\u9760\uff0c\u5e94\u8be5\u5bf9\u524d\u7aef\u68c0\u9a8c\u8fdb\u884c\u7ed5\u8fc7
\u68c0\u67e5\u524d\u7aef\u4ee3\u7801\u8fdb\u884c\u4fee\u6539\uff0c\u4f7fphp\u6587\u4ef6\u53ef\u4ee5\u901a\u8fc7\u524d\u7aef\u6821\u9a8c\uff0c\u6210\u529f\u4e0a\u4f20\u540e\u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff0c\u627e\u5230flag
<\/p> \nweb152(content-type)<\/h2> \n
\u901a\u8fc7\u524d\u7aef\u6821\u9a8c\u540e\u4e0a\u4f20php\u6587\u4ef6\u663e\u793a\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4
\u5c1d\u8bd5\u6293\u5305\u4fee\u6539content-type\uff0c\u6839\u636e\u6570\u636e\u5305\u56de\u663e\u5f97\u77e5\u4e0a\u4f20\u6210\u529f\u3002
\u8bbf\u95ee\u540e\u95e8\u6587\u4ef6\u4ee3\u7801\u6267\u884c\u5f97\u5230flag<\/p> \nweb153(.user.ini)<\/h2> \n
\u76f4\u63a5\u4e0a\u4f20php\u6587\u4ef6\u663e\u793a\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4\uff0c\u5c1d\u8bd5\u4fee\u6539content-type\u4e0a\u4f20\u4e0d\u6210\u529f\uff0c\u4e0a\u4f20php3
\u540e\u7f00\u670d\u52a1\u5668\u4e0d\u80fd\u89e3\u6790
\u5c1d\u8bd5\u8bbf\u95eeupload\u6587\u4ef6\u5939\uff0c\u53d1\u73b0upload\u6587\u4ef6\u5939\u6709\u9ed8\u8ba4\u7d22\u5f15\uff0c\u5177\u6709index.php\u6587\u4ef6\uff0c\u90a3\u4e48\u53ef\u4ee5\u5229\u7528.user.ini\u6587\u4ef6\u6765\u8fdb\u884c\u4e0a\u4f20
\u5177\u4f53user.ini\u77e5\u8bc6\u70b9\u53c2\u8003.htaccess \u548c.user.ini \u914d\u7f6e\u6587\u4ef6\u5999\u7528<\/a>
.user.ini\u6587\u4ef6\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u5c40\u90e8\u914d\u7f6e\u6587\u4ef6\uff0c\u53ef\u4ee5\u901a\u8fc7\u914d\u7f6e\u9009\u9879\u4f7f\u6bcf\u4e2aphp\u6587\u4ef6\u5934\u6216\u6587\u4ef6\u5c3e\u90fd\u8fdb\u884c\u6587\u4ef6\u5305\u542b<\/p> \nauto_prepend_file = <filename> \/\/\u5305\u542b\u5728\u6587\u4ef6\u5934\nauto_append_file = <filename> \/\/\u5305\u542b\u5728\u6587\u4ef6\u5c3e\n<\/code><\/pre> \n
\u901a\u8fc7.user.ini\u4f7f\u5f97upload\u6587\u4ef6\u5939\u4e0b\u6bcf\u4e2aphp\u6587\u4ef6\u5728\u6587\u4ef6\u5934\u90fd\u5305\u542b1.png\u6587\u4ef6
\u6784\u9020\u56fe\u7247\u9a6c1.png\u8fdb\u884c\u4e0a\u4f20,\u7531\u4e8e.user.ini\u4f7f\u5f97upload\u4e0bindex.php\u5305\u542b\u6240\u4e0a\u4f20\u7684\u56fe\u7247\u9a6c\uff0c\u76f4\u63a5\u8bbf\u95eeindex.php\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u5373\u53ef\u5f97\u5230falg<\/p> \nweb154(\u5185\u5bb9\u68c0\u6d4b'php')<\/h2> \n
\u5927\u81f4\u6b65\u9aa4\u4e0e153\u9898\u4e00\u6837\u3002\u5728\u4e0a\u4f20\u7684\u65f6\u5019\u53d1\u73b0\u56fe\u7247\u9a6c\u4e0a\u4f20\u4e0d\u4e86\uff0c\u7ecf\u8fc7\u6d4b\u8bd5\u53d1\u73b0\u5bf9\u56fe\u7247\u5185\u5bb9\u4e2d\u7684php\u505a\u4e86\u5904\u7406\uff0c\u90a3\u4e48\u5728\u56fe\u7247\u9a6c\u4e2d\u53ef\u4ee5\u91c7\u7528php\u5176\u4ed6\u98ce\u683c\u5f97\u5199\u6cd5\uff0c\u5982\u77ed\u6807\u7b7e\u7b49\u3002\u5177\u4f53\u53ef\u4ee5\u53c2\u8003PHP\u56db\u79cd\u6807\u8bb0\u98ce\u683c<\/a><\/p> \n
web155(\u5185\u5bb9\u68c0\u6d4b'php')<\/h2> \n
\u540c\u4e0a<\/p> \n
web156(\u5185\u5bb9\u68c0\u6d4b'[')<\/h2> \n
\u6e90\u7801\u68c0\u6d4b\u4e86php\u548c[\uff0c\u91c7\u7528\u77ed\u6807\u8bb0\u548c\u5927\u62ec\u53f7\u66ff\u4ee3<\/p> \n
<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date: 2020-10-24 19:34:52\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-10-26 15:49:51\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\nerror_reporting(0);\nif ($_FILES["file"]["error"] > 0)\n{\n\t$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);\n}\nelse\n{\n $filename = $_FILES["file"]["name"];\n $filesize = ($_FILES["file"]["size"] \/ 1024);\n if($filesize>1024){\n \t$ret = array("code"=>1,"msg"=>"\u6587\u4ef6\u8d85\u8fc71024KB");\n }else{\n \tif($_FILES['file']['type'] == 'image\/png'){\n $arr = pathinfo($filename);\n $ext_suffix = $arr['extension'];\n if($ext_suffix!='php'){\n $content = file_get_contents($_FILES["file"]["tmp_name"]);\n if(stripos($content, "php")===FALSE && stripos($content,"[")===FALSE){\n move_uploaded_file($_FILES["file"]["tmp_name"], "upload\/".$_FILES["file"]["name"]);\n $ret = array("code"=>0,"msg"=>"upload\/".$_FILES["file"]["name"]);\n }else{\n $ret = array("code"=>2,"msg"=>"\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4");\n }\n \n }else{\n $ret = array("code"=>2,"msg"=>"\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4");\n }\n \t\t\n \t}else{\n \t\t$ret = array("code"=>2,"msg"=>"\u6587\u4ef6\u7c7b\u578b\u4e0d\u5408\u89c4");\n \t}\n \t\n }\n\n}\n\necho json_encode($ret);\n\n<\/code><\/pre> \n
stripos() \u51fd\u6570\u67e5\u627e\u5b57\u7b26\u4e32\u5728\u53e6\u4e00\u5b57\u7b26\u4e32\u4e2d\u7b2c\u4e00\u6b21\u51fa\u73b0\u7684\u4f4d\u7f6e\uff08\u4e0d\u533a\u5206\u5927\u5c0f\u5199\uff09\u3002<\/p> \n
web157(\u5185\u5bb9\u68c0\u6d4b'php''[]''{}'';')<\/h2> \n
\u4e0a\u4f20.user.ini
\u5728\u4e0a\u4f20\u56fe\u7247\u9a6c\u5f97\u8fc7\u7a0b\u4e2d\uff0c\u7ecf\u8fc7\u4f7f\u7528\u4e8c\u5206\u6cd5\u5bf9\u4e00\u53e5\u8bdd\u6728\u9a6c\u7684\u5206\u6790\u53d1\u73b0\uff0c\u540e\u53f0\u4ee3\u7801\u5bf9\u56fe\u7247\u9a6c\u5185\u5bb9\u4e2d\u7684\u5173\u952e\u5b57\u2018php\u2019,'[]','{}'\u4ee5\u53ca';'\u90fd\u8fdb\u884c\u4e86\u68c0\u6d4b\uff0c\u8fd9\u4e00\u5173\u7684\u6027\u8d28\u5c31\u7531\u6587\u4ef6\u4e0a\u4f20\u8f6c\u53d8\u4e3a\u4e86\u4efb\u610f\u4ee3\u7801\u6267\u884c\uff0c\u90a3\u4e48\u53ea\u597d\u518d\u6b21\u5bf9\u6728\u9a6c\u6587\u4ef6\u8fdb\u884c\u4f2a\u88c5<\/p> \n<?= @eva l(array_pop($_POST))?>\n<\/code><\/pre> \n
\u4f7f\u7528=\u77ed\u6807\u7b7e\u7ed5\u8fc7php\u68c0\u6d4b
@\u4e0d\u63d0\u793a\u62a5\u9519\u4fe1\u606f
eva l()\u628a\u5185\u5bb9\u5f53\u4f5cphp\u8bed\u53e5\u6267\u884c
array_pop()\u5c06\u6570\u7ec4\u4e2d\u6700\u540e\u4e00\u4e2a\u5143\u7d20\u53d6\u51fa\u5e76\u5220\u9664
\u4f7f\u7528$_POST\u63a5\u53d7\u4efb\u610f\u53d8\u91cf
\u4f7f\u7528\u8be5\u6587\u4ef6\u5e76\u4e0d\u80fd\u83b7\u53d6shell\uff0c\u53ea\u80fd\u901a\u8fc7POST\u63d0\u4ea4\u6570\u636e\u8fdb\u884c\u4ee3\u7801\u6267\u884c
\u4ee3\u7801\u6267\u884c","orderid":"0","title":"ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20(\u4e00)","smalltitle":"","mid":"0","fname":"Scala","special_id":"0","bak_id":"0","info":"0","hits":"442","pages":"5","comments":"0","posttime":"2023-08-06 07:49:31","list":"1691279371","username":"admin","author":"","copyfrom":"","copyfromurl":"","titlecolor":"","fonttype":"0","titleicon":"0","picurl":"https:\/\/www.cppentry.com\/upload_files\/","ispic":"0","yz":"1","yzer":"","yztime":"0","levels":"0","levelstime":"0","keywords":"ctfshow--web<\/A> \u5165\u95e8<\/A> \u6587\u4ef6\u4e0a<\/A>","jumpurl":"","iframeurl":"","style":"","template":"a:3:{s:4:\"head\";s:0:\"\";s:4:\"foot\";s:0:\"\";s:8:\"bencandy\";s:0:\"\";}","target":"0","ip":"211.148.71.108","lastfid":"0","money":"0","buyuser":"","passwd":"","allowdown":"","allowview":"","editer":"","edittime":"0","begintime":"0","endtime":"0","description":"ctfshow--web\u5165\u95e8--\u6587\u4ef6\u4e0a\u4f20","lastview":"1715047614","digg_num":"0","digg_time":"0","forbidcomment":"0","ifvote":"0","heart":"","htmlname":"","city_id":"0"},"page":"1"} - web152(content-type)<\/a><\/li>\n
- web151(\u524d\u7aef\u6821\u9a8c)<\/a><\/li>\n