Buuctf babyupload[gxyctf2019]

Direct opening burpsuite, Packet capture upload point , The old rule is to send the configuration file first

Right click to send to repeater （Repeater）, Switch to repeater , Click Send

png The suffix cannot be passed ？？？

It may be the file name or suffix or the file type Content-Type Or the contents of the file do not conform to , Here are the tests one by one , Test all common picture suffixes first （png、jpg、jpeg、gif）

I can't find it , Then the suffix remains png, test Content-Type, Found upload successful

Delete the file suffix and upload

  Yes MIME The head white list filters , Only accept jpeg type , But there seems to be no strict filtering of suffixes , That's filtering ph

  Now that the configuration file has been uploaded successfully , Just upload the horse directly

I found that it was filtered out <?, Then change it php Format

<script language="php"> @eval($_POST["x"]);</script>

Upload successful , According to echo , Get the file upload address

  Upper ant sword connection , The connection was found to be unsuccessful , Embarrassed , Look back to know .htaccess The configuration file cannot be on the file header , Remove the file header and upload it

  Ant sword connected successfully

  Get flag