[網安中國行](web)大美龍江

根據對網站功能的審計 , 發現存在 downfile.php
這裡是可以下載一個圖片的
通過 fuzz 測試之後 , 發現這裡存在注入 , 可以讀取任意 php 檔案
截圖如下
根據對網站功能的審計 , 發現存在 downfile.php
這裡是可以下載一個圖片的
通過 fuzz 測試之後 , 發現這裡存在注入 , 可以讀取任意 php 檔案
截圖如下

通過讀取 downfile.php
得到 :

<?php 

defined("DIR_PERMITION") or die("Access denied!");

if(!isset($_SESSION['username'])||!isset($_SESSION['userid'])){
      header("Location: index.php?file=login");
      die();
 }

?>
<link rel="stylesheet" href="./css/main.css" style="css" />
<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
    <tr>
    <form method=get action="index.php">
          <td align=right style="padding:0px; border:0px; margin:0px;">
            <input type=submit name=file value="home" class="side-pan">
          </td>
          <td  align=right style="padding:0px; border:0px; margin:0px;" >
             <input type=submit name=file value="download" class="side-pan">
         </td>
         <td  align=right style="padding:0px; border:0px; margin:0px;" >
            <input type=submit name=file value="upload" class="side-pan">
        </td>
    </form></tr></table></div></div>
<div id="right"></div><div align=center>

<form action="index.php?file=upload" method="post" enctype="multipart/form-data">
    <input type="file" name ="file">
    <input type="submit" name="submit" value="upload" >
</form>

<?php

if (isset($_FILES['file'])) {
    
    $seed = rand(0,getrandmax());
    mt_srand($seed);
    if ($_FILES["file"]["error"] > 0) {
        echo "<div class=\"msg error\" id=\"message\">
        <i class=\"fa fa-exclamation-triangle\">uplpad file error!:".$_FILES["file"]["error"]."</i></div>";
        die();
    }
    $fileTypeCheck = ((($_FILES["file"]["type"] == "image/gif")
            || ($_FILES["file"]["type"] == "image/jpeg")
            || ($_FILES["file"]["type"] == "image/pjpeg")
            || ($_FILES["file"]["type"] == "image/png"))
        && ($_FILES["file"]["size"] < 204800));
    $reg='/^gif|jpg|jpeg|png$/';
    $fileExtensionCheck=!preg_match($reg,pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
    
    if($fileExtensionCheck){
        die("Only upload image file!");
    }
    if($fileTypeCheck){
        
        $fileOldName = addslashes(pathinfo($_FILES['file']['name'],PATHINFO_FILENAME));
        $fileNewName = './Up10aDs/' . random_str() .'.'.pathinfo($_FILES['file']['name'],PATHINFO_EXTENSION);
        $userid = $_SESSION['userid'];
        $sql= "insert into `download` (`uid`,`image_name`,`location`) values ($userid,'$fileOldName','$fileNewName')";
        $res = $conn ->query($sql);
        if($res&&move_uploaded_file($_FILES['file']['tmp_name'], $fileNewName)){
         echo "<script>alert('file upload success!');window.location.href='index.php?file=home'</script>";

        }else{
             echo "<script>alert('file upload error')</script>";
        }

    }else{

        echo "<script>alert('file  type error');</script>";
    }

}

?>

upload.php

<?php 

defined("DIR_PERMITION") or die("Access denied!");

if(!isset($_SESSION['username'])||!isset($_SESSION['userid'])){
      header("Location: index.php?file=login");
      die();
 }

?>
<link rel="stylesheet" href="./css/main.css" style="css" />
<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
    <tr>
    <form method=get action="index.php">
          <td align=right style="padding:0px; border:0px; margin:0px;">
            <input type=submit name=file value="home" class="side-pan">
          </td>
          <td  align=right style="padding:0px; border:0px; margin:0px;" >
             <input type=submit name=file value="download" class="side-pan">
         </td>
         <td  align=right style="padding:0px; border:0px; margin:0px;" >
            <input type=submit name=file value="upload" class="side-pan">
        </td>
    </form></tr></table></div></div>
<div id="right"></div><div align=center>

<form action="index.php?file=upload" method="post" enctype="multipart/form-data">
    <input type="file" name ="file">
    <input type="submit" name="submit" value="upload" >
</form>

<?php

if (isset($_FILES['file'])) {
    
    $seed = rand(0,getrandmax());
    mt_srand($seed);
    if ($_FILES["file"]["error"] > 0) {
        echo "<div class=\"msg error\" id=\"message\">
        <i class=\"fa fa-exclamation-triangle\">uplpad file error!:".$_FILES["file"]["error"]."</i></div>";
        die();
    }
    $fileTypeCheck = ((($_FILES["file"]["type"] == "image/gif")
            || ($_FILES["file"]["type"] == "image/jpeg")
            || ($_FILES["file"]["type"] == "image/pjpeg")
            || ($_FILES["file"]["type"] == "image/png"))
        && ($_FILES["file"]["size"] < 204800));
    $reg='/^gif|jpg|jpeg|png$/';
    $fileExtensionCheck=!preg_match($reg,pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
    
    if($fileExtensionCheck){
        die("Only upload image file!");
    }
    if($fileTypeCheck){
        
        $fileOldName = addslashes(pathinfo($_FILES['file']['name'],PATHINFO_FILENAME));
        $fileNewName = './Up10aDs/' . random_str() .'.'.pathinfo($_FILES['file']['name'],PATHINFO_EXTENSION);
        $userid = $_SESSION['userid'];
        $sql= "insert into `download` (`uid`,`image_name`,`location`) values ($userid,'$fileOldName','$fileNewName')";
        $res = $conn ->query($sql);
        if($res&&move_uploaded_file($_FILES['file']['tmp_name'], $fileNewName)){
         echo "<script>alert('file upload success!');window.location.href='index.php?file=home'</script>";

        }else{
             echo "<script>alert('file upload error')</script>";
        }

    }else{

        echo "<script>alert('file  type error');</script>";
    }

}

?>

之前上傳的時候非常迷惑 , 這裡不能直接上傳 , 上傳檔案的時候發現每次都上傳錯誤
如下圖

比賽結束後復現的時候突然有能上傳成功了....這是什麼鬼...
沒有截到上傳失敗的圖片...

        }else{
             echo "<script>alert('file upload error')</script>";
        }
// 每次都會走這個分支

讀取到這個原始碼以後 , 感覺應該是題目環境部署的問題
應該是沒有給Up10aDs這個目錄寫許可權

誒...這個目錄
Up10aDs
好熟悉
google一番找到原題
flag檔名稱都沒改

F1AgIsH3r3G00d.php

比賽結束後這個檔案居然被刪除了...