1.根据下方代码上传名为1.php的文件
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
$is_upload = false; 判断是否为真
(isset($_POST['submit']))
isset() 判断是否设定了某个变量
$_POST["submit"] 通过POST提交的变量
(file_exists(UPLOAD_PATH))
file_exists() 检查文件或目录是否存在
UPLOAD_PATH 上传路径
upload_file 上传文件
temp_file 临时文件
tmp_name 文件保存的名字
$_FILES['upload_file']['tmp_name']文件上传保存后的文件的保存名字,即文件上传后的名字
img_path 图片路径
upload_file 上传文件
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
图片路径=上传路径.'/'.数组['上传文件']['名字']
move_uploaded_file 将上传的文件移动到新位置
temp_file 临时文件
(move_uploaded_file($temp_file, $img_path)) 移动图片上传的位置(临时文件.图片路径)
总体判断
如果上传png,gif,jpeg文件就会被拒绝无法上传
启动burpsuite抓包
上传jpeg文件抓包
将1.jpg改成1.php
成功!通过burpsuite把文件改成php文件
2.根据下方代码上传文件
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$_FILES['upload_file']['name'];
if($_FILES['upload_file']['name']=='3.php'){
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} }else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
发现不能向上题一样把文件修改成php
那我们把文件改成phtml
不触发后缀名检测,成功上传!
3.根据下面的代码上传文件
这么多你是不是玩不起QAQ!
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
$file_ext = str_ireplace('::$DATA', '', $file_ext);
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
}else {
$msg = '此文件不允许上传';
上传3.jpeg
修改成
3.php /后面加个空格
上传成功,你可没说不能上传php TVT
4.根据下方代码上传文件
多了个文本框
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
上传
3.php
好家伙玩不起了,用不了。
然后试试那个多出来的玩意
最好发现改成php,就可以上传了。就是让你觉得不可能是php,然后结果偏偏就是php
5.根据协议寻找flag
看到爬虫页面就要联想到爬虫协议
首先了解下扫描是爬虫协议,Robots协议也称作爬虫协议,它会让网站告诉爬虫可爬取的页面。robots协议通过在网站根目录下的ASCII编码的文本文件来实现。
所以我们直接通过访问robots.txt来查看,最近红帽杯出来这个,不过是提示
发现flag页面,所以你懂了吗?
/不会吧不会吧竟然有人看到路径不知道?直接访问/
看到一个急剧嘲讽的东西,懂得都懂
/一片空白,还告诉你在哪了,你不会不知道吧,F12看源码/
6.响应数据包
看到没有本地登录burpsuite抓包![在这里插入图片描述](https://i-blog.csdnimg.cn/blog_migrate/3338e32b8ca88d3fdf1eca6b803d79bc.png)
添加X-Forwarded-For:127.0.0.1
返回不是来着服务器hello的预览器
修改user-Agent为hello
User-Agent: hello
X-Forwarded-For:127.0.0.1
成功,获取flag
7. 数据包分析
下载文件
解压文件
unzip wireshark.zip
发现pcang提取flag
strings misc_02.pcapng |grep flag
strings在对象文件或二进制文件中查找可打印的字符串