根据对网站功能的审计 , 发现存在 downfile.php
这里是可以下载一个图片的
通过 fuzz 测试之后 , 发现这里存在注入 , 可以读取任意 php 文件
截图如下
根据对网站功能的审计 , 发现存在 downfile.php
这里是可以下载一个图片的
通过 fuzz 测试之后 , 发现这里存在注入 , 可以读取任意 php 文件
截图如下
image.png
通过读取 downfile.php
得到 :
<?php
defined("DIR_PERMITION") or die("Access denied!");
if(!isset($_SESSION['username'])||!isset($_SESSION['userid'])){
header("Location: index.php?file=login");
die();
}
?>
<link rel="stylesheet" href="./css/main.css" style="css" />
<div id="left"><div class="main"><table align=center cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
<tr>
<form method=get action="index.php">
<td align=right style="padding:0px; border:0px; margin:0px;">
<input type=submit name=file value="home" class="side-pan">
</td>
<td align=right style="padding:0px; border:0px; margin:0px;" >
<input type=submit name=file value="download" class="side-pan">
</td>
<td align=right style="padding:0px; border:0px; margin:0px;" >
<input type=submit name=file value="upload" class="side-pan">
</td>
</form></tr></table></div></div>
<div id="right"></div><div align=center>
<form action="index.php?file=upload" method="post" enctype="multipart/form-data">
<input type="file" name ="file">
<input type="submit" name="submit" value="upload" >
</form>
<?php
if (isset($_FILES['file'])) {
$seed = rand(0,getrandmax());
mt_srand($seed);
if ($_FILES["file"]["error"] > 0) {
echo "<div class=\"msg error\" id=\"message\">
<i class=\"fa fa-exclamation-triangle\">uplpad file error!:".$_FILES["file"]["error"]."</i></div>";
die();
}
$fileTypeCheck = ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800));
$reg='/^gif|jpg|jpeg|png$/';
$fileExtensionCheck=!preg_match($reg,pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if($fileExtensionCheck){
die("Only upload image file!");
}
if($fileTypeCheck){
$fileOldName = addslashes(pathinfo($_FILES['file']['name'],PATHINFO_FILENAME));
$fileNewName = './Up10aDs/' . random_str() .'.'.pathinfo($_FILES['file']['name'],PATHINFO_EXTENSION);
$userid = $_SESSION['userid'];
$sql= "insert into `download` (`uid`,`image_name`,`location`) values ($userid,'$fileOldName','$fileNewName')";
$res = $conn ->query($sql);
if($res&&move_uploaded_file($_FILES['file']['tmp_name'], $fileNewName)){
echo "<script>alert('file upload success!');window.location.href='index.php?file=home'</script>";
}else{
echo "<script>alert('file upload error')</script>";
}
}else{
echo "<script>alert('file type error');</script>";
}
}
?>
upload.php
<?php
defined("DIR_PERMITION") or die("Access denied!");
if(!isset($_SESSION['username'])||!isset($_SESSION['userid'])){
header("Location: index.php?file=login");
die();
}
?>
<link rel="stylesheet" href="./css/main.css" style="css" />
<div id="left"><div class="main"><table align=center cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
<tr>
<form method=get action="index.php">
<td align=right style="padding:0px; border:0px; margin:0px;">
<input type=submit name=file value="home" class="side-pan">
</td>
<td align=right style="padding:0px; border:0px; margin:0px;" >
<input type=submit name=file value="download" class="side-pan">
</td>
<td align=right style="padding:0px; border:0px; margin:0px;" >
<input type=submit name=file value="upload" class="side-pan">
</td>
</form></tr></table></div></div>
<div id="right"></div><div align=center>
<form action="index.php?file=upload" method="post" enctype="multipart/form-data">
<input type="file" name ="file">
<input type="submit" name="submit" value="upload" >
</form>
<?php
if (isset($_FILES['file'])) {
$seed = rand(0,getrandmax());
mt_srand($seed);
if ($_FILES["file"]["error"] > 0) {
echo "<div class=\"msg error\" id=\"message\">
<i class=\"fa fa-exclamation-triangle\">uplpad file error!:".$_FILES["file"]["error"]."</i></div>";
die();
}
$fileTypeCheck = ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 204800));
$reg='/^gif|jpg|jpeg|png$/';
$fileExtensionCheck=!preg_match($reg,pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if($fileExtensionCheck){
die("Only upload image file!");
}
if($fileTypeCheck){
$fileOldName = addslashes(pathinfo($_FILES['file']['name'],PATHINFO_FILENAME));
$fileNewName = './Up10aDs/' . random_str() .'.'.pathinfo($_FILES['file']['name'],PATHINFO_EXTENSION);
$userid = $_SESSION['userid'];
$sql= "insert into `download` (`uid`,`image_name`,`location`) values ($userid,'$fileOldName','$fileNewName')";
$res = $conn ->query($sql);
if($res&&move_uploaded_file($_FILES['file']['tmp_name'], $fileNewName)){
echo "<script>alert('file upload success!');window.location.href='index.php?file=home'</script>";
}else{
echo "<script>alert('file upload error')</script>";
}
}else{
echo "<script>alert('file type error');</script>";
}
}
?>
之前上传的时候非常迷惑 , 这里不能直接上传 , 上传文件的时候发现每次都上传错误
如下图
image.png
比赛结束后复现的时候突然有能上传成功了....这是什么鬼...
没有截到上传失败的图片...
}else{
echo "<script>alert('file upload error')</script>";
}
// 每次都会走这个分支
读取到这个源码以后 , 感觉应该是题目环境部署的问题
应该是没有给Up10aDs这个目录写权限
诶...这个目录
Up10aDs
好熟悉
google一番找到原题
flag文件名称都没改
F1AgIsH3r3G00d.php
比赛结束后这个文件居然被删除了...
image.png
