CTF-网页上传题

1.根据下方代码上传名为1.php的文件

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错！';
}
} else {
$msg = '文件类型不正确，请重新上传！';

$is_upload = false;	判断是否为真

(isset($_POST['submit']))
isset（）			判断是否设定了某个变量
$_POST["submit"]	通过POST提交的变量

(file_exists(UPLOAD_PATH))
file_exists() 		检查文件或目录是否存在
UPLOAD_PATH			上传路径

upload_file			上传文件
temp_file			临时文件
tmp_name			文件保存的名字
 $_FILES['upload_file']['tmp_name']文件上传保存后的文件的保存名字，即文件上传后的名字

img_path			图片路径
upload_file			上传文件
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'] 
图片路径=上传路径.'/'.数组['上传文件']['名字']

move_uploaded_file	将上传的文件移动到新位置
temp_file			临时文件
(move_uploaded_file($temp_file, $img_path))	移动图片上传的位置（临时文件.图片路径）

总体判断

如果上传png，gif，jpeg文件就会被拒绝无法上传

启动burpsuite抓包

上传jpeg文件抓包

将1.jpg改成1.php

成功！通过burpsuite把文件改成php文件

2.根据下方代码上传文件

$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$_FILES['upload_file']['name'];
if($_FILES['upload_file']['name']=='3.php'){
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错！';
}
} }else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';

发现不能向上题一样把文件修改成php

那我们把文件改成phtml

不触发后缀名检测，成功上传！

3.根据下面的代码上传文件

这么多你是不是玩不起QAQ!

if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
$file_ext = str_ireplace('::$DATA', '', $file_ext);

if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错！';
}
}else {
$msg = '此文件不允许上传';

上传3.jpeg

修改成

3.php /后面加个空格

上传成功，你可没说不能上传php TVT

4.根据下方代码上传文件

多了个文本框

if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;

上传

3.php 

好家伙玩不起了，用不了。

然后试试那个多出来的玩意

最好发现改成php，就可以上传了。就是让你觉得不可能是php,然后结果偏偏就是php

5.根据协议寻找flag

看到爬虫页面就要联想到爬虫协议
首先了解下扫描是爬虫协议，Robots协议也称作爬虫协议，它会让网站告诉爬虫可爬取的页面。robots协议通过在网站根目录下的ASCII编码的文本文件来实现。

所以我们直接通过访问robots.txt来查看，最近红帽杯出来这个，不过是提示

发现flag页面，所以你懂了吗？

/不会吧不会吧竟然有人看到路径不知道？直接访问/

看到一个急剧嘲讽的东西，懂得都懂

/一片空白，还告诉你在哪了，你不会不知道吧，F12看源码/

6.响应数据包

看到没有本地登录burpsuite抓包

添加X-Forwarded-For:127.0.0.1

返回不是来着服务器hello的预览器

修改user-Agent为hello

User-Agent: hello
X-Forwarded-For:127.0.0.1

成功，获取flag

7. 数据包分析

下载文件

解压文件

unzip wireshark.zip

发现pcang提取flag

strings misc_02.pcapng |grep flag
strings在对象文件或二进制文件中查找可打印的字符串

8.密码学

发现加密密码解密

9.html长度限制与cookie突破限制

不知道怎么办我们就F12

发现长度限制和禁止写入，这你能让忍？删了删了。## 发现要管理员权限，那我们通过cookie突破限制

把login改为1,再次登录

成功拿到flag