持续更新

[MRCTF2020]你传你????呢

很显然这是一道文件上传题,我们直接上传一个webshell.php

好像不行过滤了,我们抓一下包。猜测是验证文件的后缀，我们把文件后缀名php改成jpg
emmmm,发现还是不行，修改一下Content-Type,修改成image/jpeg

后缀名再修改为php发现不能上传，猜测应该是验证了Content-type和文件的后缀名,我们**一下看看过滤了哪些后缀

发现这些文件的后缀是可以上传的，我们就可以上传.htaccess，关于.htaccess的作用这里不再详述。不清楚的自行百度
.htaccess的内容:

<FilesMatch "jpg|png|gif|JPG">  
	    SetHandler application/x-httpd-php  
</FilesMatch>

上传后，我们再上传jpg格式的木马，服务器就可以将.jpg格式的文件解析为.php也就绕过了检测,连接菜刀
在根目录找到flag文件
upload.php的内容

<?php
session_start();
echo "
<meta charset=\"utf-8\">";
if(!isset($_SESSION['user'])){
    $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
    $target_path  = getcwd() . "/upload/" . md5($_SESSION['user']);
    $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
    $uploaded_name = $_FILES['uploaded']['name'];
    $uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
    $uploaded_size = $_FILES['uploaded']['size'];
    $uploaded_tmp  = $_FILES['uploaded']['tmp_name'];
 
    if(preg_match("/ph/i", strtolower($uploaded_ext))){
        die("我扌your problem?");
    }
    else{
        if ((($_FILES["uploaded"]["type"] == "
            ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uploaded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] < 2048)){
            $content = file_get_contents($uploaded_tmp);
			mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
			move_uploaded_file($uploaded_tmp, $t_path);
			echo "{$t_path} succesfully uploaded!";
        }
        else{
            die("我扌your problem?");
        }
    }
}
?>