当前位置：网站首页>xctf Attack and Defense World Web Master Advanced Zone upload1

xctf Attack and Defense World Web Master Advanced Zone upload1

2022-08-06 03:21:00 【l8947943】

0x01. Enter the environment and check the problem

Insert image description here
After uploading the file casually, it is prompted to upload jpg file.That is to say, only upload jpg files. After trying to upload, as shown in the figure:

You can directly access the address: http://61.147.171.105:50326/upload/1659513440.a.jpg to complete the access to the uploaded content.

0x02. Start doing the question

0x02_1. Problem Analysis

After the upload is successful, we have no other content. The guess is that after the upload is successful, we need to let the uploaded content reveal some content, which is associated with a Trojan horse in PHP.

0x02_2. Solution 1

We create a one-sentence Trojan horse, change its suffix to jpg, open burpsuite to upload and capture the package, as shown in the figure:
Insert image description here
Put it in the repeater, modify the filename to .php, and submit it again, as shown in the figure:
Insert picture description here
This picture shows that the Trojan has been uploaded successfully, and the read link is http://61.147.171.105:50326/upload/1659514417.a.php, then use the ant sword tool to connect directly, as shown in the figure:
insert image description here
Scroll through the content and see:

After opening, get the final flag, the final answer is: cyberpeace{c5e37ef852170a34ffb889d26c6bad7c}

0x02_3. Solution 2

Using the system command in php, you can directly find the relevant content of the flag, and then check to return the specific content.First construct the payload,

 system('find / -name "flag*"'); ?>

As shown in the figure:
Insert picture description here
Then visit the address, directlyEcho the position of the flag.
Insert image description here
As you can see, the flag position is at: /var/www/html/flag.php, then use cat to view the specific content, and continue to modify the payload:

 system('cat /var/www/html/flag.php'); ?>

As shown in the figure:
insert image description here
Visit the link and check backDisplay the content, as shown in the figure:

Get the final falg answer.

0x02_4. Solution 3

We make the front-end button directly invalid, forcibly upload the php one-sentence Trojan horse file, as shown in the figure, find the upload button, delete disabled directly in the front-end, and press Enter to upload directly,
insert image description here
After uploading successfully, it will display as shown:

Indicates that the php file is forcibly uploaded successfully, and then use the ant sword to link, the subsequent operations are the same as the second half of the solution.