[MRCTF2020]你传你🐎呢
知识点:文件上传
1.Apache服务器 上传.htaccess 文件,bp抓包
AddType application/x-httpd-php .jpg(将jpg当做PHP解析)
2.MIME类型验证绕过:修改Content-type为:image/jpeg
上传
再上传jpg,蚁剑连上,url
http://b29acfc2-511c-4e8d-9809-f6d603e67757.node3.buuoj.cn/upload/170cb926048a559363653af71ffd6476/1.jpg
拿flag
upload.php
<?php
session_start();
echo "
<meta charset=\"utf-8\">";
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']);
$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("鎴戞墝your problem?");
}
else{
if ((($_FILES["uploaded"]["type"] == "
") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uploaded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] < 2048)){
$content = file_get_contents($uploaded_tmp);
mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
else{
die("鎴戞墝your problem?");
}
}
}
?>
[MRCTF2020]Ez_bypass
知识点:
1.md5
前者表示数值和类型完全相同, 后者表示值相同但类型不同,可以数组绕过,GET gg[]=1&id[]=2
2.is_numeric函数
该函数作用是检测变量是否为数字或数字字符串,是则返回ture,反之,则返回true,用hackbar POST提交$passwd=1234567+任意字符绕过
参考wp
[MRCTF2020]PYWebsite
查看源代码
看了别人的wp,关键词IP
X-Forwarded-For:127.0.0.1